SC-200 Practice Questions
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Azure AD Identity Protection, you configure the sign-in risk policy. Does this meet the goal? A. Yes B. No
B. No
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add each account as a Sensitive account. Does this meet the goal? A. Yes B. No
B. No
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group. Does this meet the goal? A. Yes B. No
B. No
You have Linux virtual machines on Amazon Web Services (AWS).You deploy Azure Defender and enable auto-provisioning. You need to monitor the virtual machines by using Azure Defender. Solution: You manually install the Log Analytics agent on the virtual machines. Does this meet the goal? A. Yes B. No
B. No
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section. Does this meet the goal? A. Yes B. No
B. No
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Regulatory compliance, you download the report. Does this meet the goal? A. Yes B. No
B. No
If you want to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates, which policy setting do you select? A. Indicators B. Policy timeframes C. Intelligent detections
B. Policy timeframes
Your company starts using Azure Sentinel. The manager wants the administration of the implemented solution to be divided into two groups, Group A and Group B, where: Group A takes responsibility for replacing the tags of Threat Intelligence Indicator. Group B takes responsibility for adding playbooks to automation rules. You need to assign the appropriate roles for both groups to fulfill the manager's request. How should you assign the roles? Responder Reader Sentinel Automation Contributor Security Assessment Contributor
Group A: Responder Group B: Sentinel Automation Contributor
Your company deploys Azure Sentinel. You plan to delegate the administration of Azure Sentinel to various groups. You need to delegate the following task: Create and run playbooks The solution must use the principle of least privilege. Which role should you assign for this task task?
Logic App Contributor
Which solution is used to control the applications that must earn trust to be run? A. Exploit protection B. Controlled folder access C. Application control
C. Application control
Which information is shared on the user account page? A. Security groups B. Threat hunt ID C. Associated alerts D. All of the above
C. Associated alerts
You have an Azure Sentinel deployment. You need to query for all suspicious credential access activities. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. From Azure Sentinel, select Hunting. Select Run All Queries. Select New Query. Filter by tactics. From Azure Sentinel, select Notebooks.
1. From Azure Sentinel, select Hunting. 2. Filter by tactics. 3. Select Run All Queries.
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud. You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification. The solution must generate a test email. Which three actions should you perform in sequence? From Workflow automation in Defender for Cloud, change the status of the workflow automation. From Logic App Designer, run a trigger. From Security alerts in Defender for Cloud, create a sample alert. From Logic App Designer, create a logic app. From workflow automation in Defender for Cloud, add a workflow automation.
1. From Logic App Designer, create a logic app. 2. From Logic App Designer, run a trigger. 3. From workflow automation in Defender for Cloud, add a workflow automation.
You have resources in Azure and Google cloud. You need to ingest Google Cloud Platform (GCP) data into Azure Defender. In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order. Enable Security Health Analytics. From Azure Security Center, add cloud connectors. Configure the GCP Security Command Center. Create a dedicated service account and a private key. Enable the GCP Security Command Center API.
1. Configure the GCP Security Command Center. 2. Enable Security Health Analytics. 3. Enable the GCP Security Command Center API. 4. Create a dedicated service account and a private key. 5. From Azure Security Center, add cloud connectors.
You plan to connect an external solution that will send Common Event Format (CEF) messages to Azure Sentinel. You need to deploy the log forwarder. Which three actions should you perform in sequence? To answer, move the appropriate actions form the list of actions to the answer area and arrange them in the correct order. Deploy an OMS Gateway on the network. Set the syslog daemon to forward the events directly to Azure Sentinel. Configure the syslog daemon. Restart the syslog daemon and the Log Analytics agent. Download and install the Log Analytics agent. Set the Log Analytics agent to listen on port 25226 and forward the CEF messages to Azure Sentinel.
1. Download and install the Log Analytics agent. 2. Set the Log Analytics agent to listen on port 25226 and forward the CEF messages to Azure Sentinel. 3. Configure the syslog daemon. Restart the syslog daemon and the Log Analytics agent.
You create a new Azure subscription and start collecting logs for Azure Monitor. You need to configure Azure Security Center to detect possible threats related to sign-ins from suspicious IP addresses to Azure virtual machines. The solution must validate the configuration. Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order. Change the alert severity threshold for emails to Medium. Copy an executable file on a virtual machine and rename the file as ASC_AlertTest_662jfi039N.exe. Enable Azure Defender for the subscription. Change the alert severity threshold for emails to Low. Run the executable file and specify the appropriate arguments. Rename the executable file as AlertTest.exe
1. Enable Azure Defender for the subscription. 2. Copy an executable file on a virtual machine and rename the file as ASC_AlertTest_662jfi039N.exe. 3. Run the executable file and specify the appropriate arguments.
You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects your environment. You need to use Microsoft Defender Security Center to request remediation from the team responsible for the affected systems if there is a documented active exploit available. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. From Device Inventory, search for the CVE. Open the Threat Prediction report. From Threat & Vulnerability Management, select Weaknesses, and search for the CVE. From Advanced hunting, search for CveId in the DeviceTvmSoftwareInventoryVulnerabilities table. Create the remediation request. Select Security recommendations.
1. From Threat & Vulnerability Management, select Weaknesses, and search for the CVE. 2. Select Security recommendations. 3. Create the remediation request.
You have 50 on-premises servers. You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud deployment has Microsoft Defender for Servers and automatic provisioning enabled. You need to configure Defender for Cloud to support the on-premises servers. The solution must meet the following requirements:• Provide threat and vulnerability management.• Support data collection rules. Which three actions should you perform in sequence? From the Add servers with Azure Arc settings in the Azure portal, generate an installation script. From the Data controller settings in the Azure portal, create an Azure Arc data controller. On the on-premises servers, install the Azure Connected Machine agent. On the on-premises servers, install the Log Analytics agent. On the on-premises servers, install the Azure monitor agent.
1. From the Add servers with Azure Arc settings in the Azure portal, generate an installation script. 2. On the on-premises servers, install the Azure Connected Machine agent. 3. On the on-premises servers, install the Log Analytics agent.
You have a Microsoft Sentinel workspace named workspace1 and an Azure virtual machine named VM1. You receive an alert for suspicious use of PowerShell on VM1. You need to investigate the incident, identify which event triggered the alert, and identify whether the following actions occurred on VM1 after the alert: - The modification of local group memberships - The purging of event logs Which three actions should you perform in sequence in the Azure portal? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. -From the details pane of the incident, select Investigate. -From the investigation blade, select the entity that represents VM1. -From the investigation blade, select the entity that represents powershell.exe -From the investigation blade, select Timeline. -From the investigation blade, select Info. -From the investigation blade, select Insights.
1. From the details pane of the incident, select Investigate. 2. From the investigation blade, select the entity that represents VM1. 3. From the investigation blade, select Insights.
You are threat hunting using Azure Sentinel. You have created a query designed to identify a specific event on your domain controller. You need to create several similar queries because you have multiple domain controllers and want to keep each query separate. The solution should minimize administrative effort. Which three actions should you perform in sequence to clone a query? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order. On the Create custom query page, make your edits then click the Create button. On the Hunting page of Azure Sentinel, select New query. Choose Clone query by clicking the ellipsis icon at the end of the row. On the Hunting page of Azure Sentinel, find the query you wish to clone. Select the ellipsis in the line of the query you want to modify, and select Edit query.
1. On the Hunting page of Azure Sentinel, find the query you wish to clone. 2. Choose Clone query by clicking the ellipsis icon at the end of the row. 3. On the Create custom query page, make your edits then click the Create button.
You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity. You need to hide the alerts automatically in Security Center. Which three actions should you perform in sequence in Security Center? Each correct answer presents part of the solution.
1. Select Security Policy. 2. Select Suppression rules, and then select Create new suppression rule. 3. Select Azure Resource as the entity type and specify the ID.
You have a Microsoft subscription that has Microsoft Defender for Cloud enabled. You configure the Azure logic apps shown in the following table. You need to configure an automatic action that will run if a Suspicious process executed alert is triggered. The solution must minimize administrative effort. Which three actions should you perform in sequence? Configure the Mitigate the threat settings. Configure the Suppress similar alerts settings. Filter by alert title. Configure the Trigger automated response settings. Configure the prevent future attacks settings. Select Take Action.
1. Select Take Action. 2. Configure the prevent future attacks settings. 3. Configure the Trigger automated response settings.
Your environment does NOT have Microsoft Defender for Endpoint enabled. You need to remediate the risk for the Launchpad app. Which four actions should you perform in sequence?
1. Select the app. 2. Tag the app as unsanctioned. 3. Generate a block script. 4. Run the script on the source appliance.
You are configuring Azure Sentinel. You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected. Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution. A. Add a playbook. B. Associate a playbook to an incident. C. Enable Entity behavior analytics. D. Create a workbook. E. Enable the Fusion rule.
A. Add a playbook. B. Associate a playbook to an incident.
You are investigating a potential attack that deploys a new ransomware strain. You have three custom device groups. The groups contain devices that store highly sensitive information. You plan to perform automated actions on all devices. You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Assign a tag to the device group. B. Add the device users to the admin role. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. E. Create a new admin role. F. Create a new device group that has a rank of 4.
A. Assign a tag to the device group. C. Add a tag to the machines. D. Create a new device group that has a rank of 1.
Your company uses Azure Sentinel. A new security analyst reports that she cannot assign and dismiss incidents in Azure Sentinel. You need to resolve the issue for the analyst. The solution must use the principle of least privilege. Which role should you assign to the analyst? A. Azure Sentinel Responder B. Logic App Contributor C. Azure Sentinel Contributor D. Azure Sentinel Reader
A. Azure Sentinel Responder
You are currently using Azure Sentinel for the collection of Windows security events. You want to use Azure Sentinel to identify Remote Desktop Protocol (RDP) activity that is unusual for your environment. You need to enable the Anomalous RDP Login Detection rule. What two prerequisites do you need to ensure are in place before you can enable this rule? Each correct answer presents part of the solution. A. Collect Security events or Windows Security Events with Event ID 4624. B. Let the machine learning algorithm collect 30 days' worth of Windows Security events data. C. Select an event set other than None. D. Collect Security events or Windows Security Events with Event ID 4720.
A. Collect Security events or Windows Security Events with Event ID 4624. C. Select an event set other than None.
You are configuring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Configure automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. E. Create an activity policy that has an exclusion for the IP addresses.
A. Configure automatic data enrichment. D. Add the IP addresses to the other address range category and add a tag.
You have the following environment: Azure Sentinel A Microsoft 365 subscription Microsoft Defender for Identity An Azure Active Directory (Azure AD) tenant You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers. You deploy Microsoft Defender for Identity by using standalone sensors. You need to ensure that you can detect when sensitive groups are modified in Active Directory. Which two actions should you perform? Each correct answer presents part of the solution. A. Configure the Advanced Audit Policy Configuration settings for the domain controllers. B. Modify the permissions of the Domain Controllers organizational unit (OU). C. Configure auditing in the Microsoft 365 compliance center. D. Configure Windows Event Forwarding on the domain controllers.
A. Configure the Advanced Audit Policy Configuration settings for the domain controllers. D. Configure Windows Event Forwarding on the domain controllers.
You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform? Each correct answer presents part of the solution. A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query
A. Create a detection rule. E. Add DeviceId and ReportId to the output of the query
You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform? Each correct answer presents part of the solution A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query.
A. Create a detection rule. E. Add DeviceId and ReportId to the output of the query.
You have two Azure subscriptions that use Microsoft Defender for Cloud. You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must minimize administrative effort. What should you do in the Azure portal? A. Create an Azure Policy assignment. B. Modify the Workload protections settings in Defender for Cloud. C. Create an alert rule in Azure Monitor. D. Modify the alert settings in Defender for Cloud.
A. Create an Azure Policy assignment.
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint. You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort. What should you do in the Microsoft 365 Defender portal? A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file. B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file. C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63. D. Select Add indicator and set the IP address to 171.23.34.32/27.
A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
Configuring a Microsoft Human Resources (HR) data connector is a dependency for which insider risk management template? A. Departing employee's data theft template B. Data leaks C. Offensive language in email
A. Departing employee's data theft template
You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution. You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic. Which JSON key should you search? A. Description B. Intent C. ExtendedProperies D. Entities
A. Description
The Defender for Cloud Apps framework includes which of the following? A. Discover and control the use of Shadow IT B. Block external traffic C. Protect Active Directory
A. Discover and control the use of Shadow IT
You implement Safe Attachments policies in Microsoft Defender for Office 365.Users report that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked. What should you configure in the Safe Attachments policies? A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect
A. Dynamic Delivery
You are configuring Azure Sentinel. You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel. Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution. A. Enable Entity behavior analytics. B. Associate a playbook to the analytics rule that triggered the incident. C. Enable the Fusion rule. D. Add a playbook. E. Create a workbook.
A. Enable Entity behavior analytics. B. Associate a playbook to the analytics rule that triggered the incident.
Which of the case actions opens a new eDiscovery (Premium) case in your Microsoft O365 investigation? A. Escalate for investigation B. Send a notice C. Resolve the case
A. Escalate for investigation
You use Azure Defender. You have an Azure Storage account that contains sensitive information. You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From Azure Security Center, enable workflow automation. B. Create an Azure logic app that has a manual trigger. C. Create an Azure logic app that has an Azure Security Center alert trigger. D. Create an Azure logic app that has an HTTP trigger. E. From Azure Active Directory (Azure AD), add an app registration.
A. From Azure Security Center, enable workflow automation. C. Create an Azure logic app that has an Azure Security Center alert trigger.
You have a Microsoft Sentinel workspace that contains the following incident. Brute force attack against Azure Portal analytics rule has been triggered. You need to identify the geolocation information that corresponds to the incident. What should you do? A. From Overview, review the Potential malicious events map. B. From Incidents, review the details of the iPCustomEntity entity associated with the incident. C. From Incidents, review the details of the AccouncCuscomEntity entity associated with the incident. D. From Investigation, review insights on the incident entity.
A. From Overview, review the Potential malicious events map.
You create an Azure subscription named sub1. In sub1, you create a Log Analytics workspace named workspace1. You enable Azure Security Center and configure Security Center to use workspace1.You need to collect security event logs from the Azure virtual machines that report to workspace1. What should you do? A. From Security Center, enable data collection B. In sub1, register a provider. C. From Security Center, create a Workflow automation. D. In workspace1, create a workbook.
A. From Security Center, enable data collection
You have a Microsoft 365 subscription that uses Microsoft 365 Defender. A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices. What should you use in the Microsoft 365 Defender portal? A. From the History tab in the Action center, revert the actions. B. From the investigation page, review the AIR processes. C. From Quarantine from the Review page, modify the rules. D. From Threat tracker, review the queries.
A. From the History tab in the Action center, revert the actions.
You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server. You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and costs. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From the workspace created by Defender for Cloud, set the data collection level to Common. B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment. C. From the Azure portal, create an Azure Event Grid subscription. D. From the workspace created by Defender for Cloud, set the data collection level to All Events. E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.
A. From the workspace created by Defender for Cloud, set the data collection level to Common. E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.
Which of the following options is a valid Microsoft 365 Defender for Endpoint onboarding option for Windows 10 devices? A. Group policy B. Microsoft Store C. General install package
A. Group policy
Which anomaly detection policy triggers an alert if the same user credentials originate from two geographically distant locations within a short time? A. Impossible travel B. Impossible distance C. Impossible twins
A. Impossible travel
You create an Azure subscription named sub1.In sub1, you create a Log Analytics workspace named workspace1. You enable Azure Security Center and configure Security Center to use workspace1. You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1. What should you do? A. In workspace1, install a solution. B. In sub1, register a provider. C. From Security Center, create a Workflow automation. D. In workspace1, create a workbook.
A. In workspace1, install a solution.
You create an Azure subscription. You enable Azure Defender for the subscription. You need to use Azure Defender to protect on-premises computers. What should you do on the on-premises computers? A. Install the Log Analytics agent. B. Install the Dependency agent. C. Configure the Hybrid Runbook Worker role. D. Install the Connected Machine agent.
A. Install the Log Analytics agent.
You are responsible for responding to Azure Defender for Key Vault alerts. During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node. What should you configure to mitigate the threat? A. Key Vault firewalls and virtual networks B. Azure Active Directory (Azure AD) permissions C. role-based access control (RBAC) for the key vault D. the access policy settings of the key vault
A. Key Vault firewalls and virtual networks
What describes Safe Attachments from Microsoft Defender for Office 365? A. Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses various machine learning and analysis techniques to detect malicious intent. B. Protects your users from malicious URLs in a message or in an Office document. C. A powerful report that enables your Security Operations team to investigate and respond to threats effectively and efficiently.
A. Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses various machine learning and analysis techniques to detect malicious intent.
Which Microsoft 365 Defender solution can detect an Active Directory Domain compromise? A. Microsoft Defender for Identity B. Microsoft Defender for Endpoint C. Microsoft Defender for Office 365
A. Microsoft Defender for Identity
You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence. You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script. Which type of information is gathered in an Investigation package? A. Prefetch Files B. Network transactions C. Command History D. Process History
A. Prefetch Files
Which of the following describes advanced threats detected by Microsoft Defender for Identity? A. Reconnaissance B. Vertical movements C. Bitcoin mining
A. Reconnaissance
A healthcare employee left work with an unencrypted work laptop, which was stolen days later in a burglary. Data containing sensitive information for 100 patients is on the laptop. This is an example of which type of internal risk? A. Regulatory compliance violation B. Sabotage C. Data leak
A. Regulatory compliance violation
Which report would you review to find devices that were identified as part of a detected risk? A. Risky sign-in report B. Risky user report C. Risky registration report
A. Risky sign-in report
You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage incident related to a suspected malicious document. After reviewing all the details, you have determined that the alert tied to this potentially malicious document is also related to another incident in your environment. However, the alert is not currently listed as a part of that second incident. Your investigation into the alert is ongoing, as is your investigation into the two related incidents. You need to appropriately categorize the alert and ensure that it is associated with the second incident. What two actions should you take in the Manage alert pane to fulfill this part of the investigation? A. Select the Link alert to another incident option. B. Set classification to True alert. C. Set status to New. D. Set status to In progress. E. Enter the Incident ID of the related incident in the Comment section.
A. Select the Link alert to another incident option. D. Set status to In progress.
What is required to deploy Microsoft Defender for Endpoint to Windows devices in your organization? A. Subscription to the Microsoft Defender for Endpoint online service. B. No action is required. Microsoft Defender for Endpoint is included in the C. Windows 10 operating system. License for Microsoft Intune.
A. Subscription to the Microsoft Defender for Endpoint online service.
You create a custom analytics rule to detect threats in Azure Sentinel. You discover that the rule fails intermittently. What are two possible causes of the failures? (Each correct answer presents part of the solution. Choose two.) A. The rule query takes too long to run and times out. B. The target workspace was deleted. C. Permissions to the data sources of the rule query were modified. D. There are connectivity issues between the data sources and Log Analytics.
A. The rule query takes too long to run and times out. D. There are connectivity issues between the data sources and Log Analytics.
Microsoft Defender for Identity requires an on-premises Active Directory environment. A. True B. False
A. True
You can classify an Incident as which of the following? A. True alert B. High alert C. Test alert
A. True alert
You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a Microsoft incident creation rule for a data connector. Does this meet the goal?
A. Yes
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Entity tags, you add the accounts as Honeytoken accounts. Does this meet the goal? A. Yes B. No
A. Yes
You have Linux virtual machines on Amazon Web Services (AWS).You deploy Azure Defender and enable auto-provisioning. You need to monitor the virtual machines by using Azure Defender. Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc. Does this meet the goal? A. Yes B. No
A. Yes
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section. Does this meet the goal? A. Yes B. No
A. Yes
You want to use a risky sign-in report to find information on risky sign-ins for the past 29 days. How can you access this report? A. You can access and download the report from the Azure portal. B. You can't access the report from the portal because the data isn't retained any longer. C. You can't access the report from the portal, but only if you downloaded it in the first 30 days.
A. You can access and download the report from the Azure portal.
Which of the following choices describes threat hunting using Microsoft Defender for Endpoint? A. You can proactively inspect events in your network using a powerful search and query tool. B. Detecting and blocking apps that are considered unsafe but may not be detected as malware. C. Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware.
A. You can proactively inspect events in your network using a powerful search and query tool.
You have an Azure subscription that uses Microsoft Sentinel. You need to create a custom report that will visualize sign-in information over time. What should you create first? A. a workbook B. a hunting query C. a notebook D. a playbook
A. a workbook
You have an Azure subscription that contains a Log Analytics workspace. You need to enable just-in-time (JIT) VM access and network detections for Azure resources. Where should you enable Azure Defender? A. at the subscription level B. at the workspace level C. at the resource level
A. at the subscription level
You provision a Linux virtual machine in a new Azure subscription. You enable Azure Defender and onboard the virtual machine to Azure Defender. You need to verify that an attack on the virtual machine triggers an alert in Azure Defender. Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. cp /bin/echo ./asc_alerttest_662jfi039n B. ./alerttest testing eicar pipe C. cp /bin/echo ./alerttest D. ./asc_alerttest_662jfi039n testing eicar pipe
A. cp /bin/echo ./asc_alerttest_662jfi039n D. ./asc_alerttest_662jfi039n testing eicar pipe
You have an Azure subscription that uses Microsoft Defender for Endpoint. You need to ensure that you can allow or block a user-specified range of IP addressed and URLs. What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal? A. custom network indicators B. live response for servers C. endpoint detection and response (EDR) in block mode D. web content filtering
A. custom network indicators
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC). What should you use? A. notebooks in Azure Sentinel B. Microsoft Cloud App Security C. Azure Monitor D. hunting queries in Azure Sentinel
A. notebooks in Azure Sentinel
You have an Azure subscription that uses Microsoft Defender for Cloud. You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.You need to onboard EC2-1 to Defender for Cloud. What should you install on EC2-1? A. the Log Analytics agent B. the Azure Connected Machine agent C. the unified Microsoft Defender for Endpoint solution package D. Microsoft Monitoring Agent
A. the Log Analytics agent
You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant. You need to identify all the changes made to Domain Admins group during the past 30 days. What should you use? A. the Modifications of sensitive groups report in Microsoft Defender for Identity B. the identity security posture assessment in Microsoft Defender for Cloud Apps C. the Azure Active Directory Provisioning Analysis workbook D. the Overview settings of Insider risk management
A. the Modifications of sensitive groups report in Microsoft Defender for Identity
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user? A. the Threat Protection Status report in Microsoft Defender for Office 365 B. the mailbox audit log in Exchange C. the Safe Attachments file types report in Microsoft Defender for Office 365 D. the mail flow report in Exchange
A. the Threat Protection Status report in Microsoft Defender for Office 365
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks. The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in Azure Security Center. You need to ensure that the security administrator receives email alerts for all the activities. What should you configure in the Security Center settings? A. the severity level of email notifications B. a cloud connector C. the Azure Defender plans D. the integration settings for Threat detection
A. the severity level of email notifications
Your company deploys Azure Sentinel. You plan to delegate the administration of Azure Sentinel to various groups. You need to delegate the following tasks: Create workbooks and analytic rules. The solution must use the principle of least privilege. Which role should you assign for this task?
Azure Sentinel Contributor
Which of the following items is a deployment option? A. PowerShell B. ASRConfig.exe C. Microsoft Deployment System
B. ASRConfig.exe
You use Azure Sentinel. You need to receive an immediate alert whenever Azure Storage account keys are enumerated. Which two actions should you perform? Each correct answer presents part of the solution. A. Create a livestream B. Add a data connector C. Create an analytics rule D. Create a hunting query. E. Create a bookmark.
B. Add a data connector D. Create a hunting query.
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually. You deploy Azure Sentinel. You need to use the existing logic app as a playbook in Azure Sentinel. What should you do first? A. And a new scheduled query rule. B. Add a data connector to Azure Sentinel. C. Configure a custom Threat Intelligence connector in Azure Sentinel. D. Modify the trigger in the logic app.
B. Add a data connector to Azure Sentinel.
You recently deployed Azure Sentinel. You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled. You need to ensure that the Fusion rule can generate alerts. What should you do? A. Disable, and then enable the rule. B. Add data connectors C. Create a new machine learning analytics rule. D. Add a hunting bookmark.
B. Add data connectors
You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You plan to create a hunting query from Microsoft Defender. You need to create a custom tracked query that will be used to assess the threat status of the subscription. From the Microsoft 365 Defender portal, which page should you use to create the query? A. Threat analytics B. Advanced Hunting C. Explorer D. Policies & rules
B. Advanced Hunting
Microsoft Defender for Endpoint gives configuration selections for alerts and detections. These include notifications, custom indicators, and detection rules. Which filter is a part of an Alert notification rule? A. Subject IDs B. Alert Severity C. Account D. Alert IDs
B. Alert Severity
Which option below is an attack surface reduction rule that can be configured? A. Block PowerShell from executing B. Block process creations originating from PSExec and WMI commands C. Block content from mobile devices
B. Block process creations originating from PSExec and WMI commands
You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server. You are troubleshooting an issue on the virtual machines. In Security Center, you need to view the alerts generated by the virtual machines during the last five days. What should you do? A. Change the rule expiration date of the suppression rule. B. Change the state of the suppression rule to Disabled. C. Modify the filter for the Security alerts page. D. View the Windows event logs on the virtual machines.
B. Change the state of the suppression rule to Disabled.
You have a third-party security information and event management (SIEM) solution. You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time. What should you do to route events to the SIEM solution? A. Create an Azure Sentinel workspace that has a Security Events connector. B. Configure the Diagnostics settings in Azure AD to stream to an event hub. C. Create an Azure Sentinel workspace that has an Azure Active Directory connector. D. Configure the Diagnostics settings in Azure AD to archive to a storage account.
B. Configure the Diagnostics settings in Azure AD to stream to an event hub.
You have an Azure subscription that has Microsoft Defender for Cloud enabled. You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed. You need to simulate an attack on the virtual machine that will generate an alert. What should you do first? A. Run the Log Analytics Troubleshooting Tool. B. Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe. C. Modify the settings of the Microsoft Monitoring Agent. D. Run the MMASetup executable and specify the -foo argument.
B. Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe.
Your company stores the data for every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant. Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription. You deploy Azure Sentinel to a new Azure subscription. You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions. Which two actions should you perform? Each correct answer presents part of the solution. A. Add the Security Events connector to the Azure Sentinel workspace. B. Create a query that uses the workspace expression and the union operator. C. Use the alias statement. D. Create a query that uses the resource expression and the alias operator. E. Add the Azure Sentinel solution to each workspace.
B. Create a query that uses the workspace expression and the union operator. E. Add the Azure Sentinel solution to each workspace.
Which DLP component has the logic to protect content in locations such as SharePoint Online? A. Sensitive info types B. DLP Policy C. Sensitivity label
B. DLP Policy
Which Behavioral blocking can be used with third-party antivirus? A. Client behavior blocking. B. EDR in block mode C. Feedback-loop blocking
B. EDR in block mode
You receive an alert from Azure Defender for Key Vault. You discover that the alert is generated from multiple suspicious IP addresses. You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as possible and must minimize the impact on legitimate users. What should you do first? A. Modify the access control settings for the key vault. B. Enable the Key Vault firewall. C. Create an application security group. D. Modify the access policy for the key vault.
B. Enable the Key Vault firewall.
True or false? Microsoft Defender for Office 365 requires an agent to be deployed to all Windows 10 devices in your organization for the best protection. A. True B. False
B. False
In Defender for Cloud Apps, which types of Policy is used for DLP? A. Access Policy B. File Policy C. Activity Policy
B. File Policy
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. What should you do? A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section. B. From Security alerts, select Take Action, and then expand the Mitigate the threat section. C. From Regulatory compliance, download the report. D. From Recommendations, download the CSV report.
B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.
Your company uses Microsoft Defender for Endpoint. The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team. You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.
B. Hide the alert. C. Create a suppression rule scoped to any device. E. Generate the alert.
You have a custom Microsoft Sentinel workbook named Workbooks. You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows. What should you do? A. In the query editor interface, configure Settings. B. In the query editor interface, select Advanced Editor C. In the grid query, include the project operator. D. In the grid query, include the take operator.
B. In the query editor interface, select Advanced Editor
Which security permission allows the configuration of storage settings? A. Manage security settings in Security Center B. Manage portal system settings C. Advanced commands
B. Manage portal system settings
Which Microsoft 365 Defender solution can detect a malware installation? A. Microsoft Defender for Identity B. Microsoft Defender for Endpoint C. Microsoft Defender for Office 365
B. Microsoft Defender for Endpoint
You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a hunting bookmark. Does this meet the goal? A. Yes B. No
B. No
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user named User1.You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege. Which role should you assign to User1? A. Security operator B. Security Admin C. Owner D. Contributor
B. Security Admin
Your company uses line-of-business apps that contain Microsoft Office VBA macros. You plan to enable protection against downloading and running additional payloads from the Office VBA macros as additional child processes. You need to identify which Office VBA macros might be affected. two commands can you run to achieve the goal? Each correct answer presents a complete solution. A. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled B. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode C. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode D. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules Actions Enabled
B. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode C. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode
. You want to analyze risks that describe authentication requests for sign-ins that probably weren't authorized by users. Which type of risks will you analyze? A. User risk B. Sign-in risk C. Authentication risk
B. Sign-in risk
The default data retention period in Microsoft 365 Defender for Endpoint is? A. One month B. Six months C. Three months
B. Six months
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender. You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort. Which blade should you use in the Microsoft 365 Defender portal? A. Advanced hunting B. Threat analytics C. Incidents & alerts D. Learning hub
B. Threat analytics
How can you ensure that a file is sent into quarantine for review by an administrator? A. When creating a file policy, select Quarantine for admin B. When creating a file policy, select Put in admin quarantine C. When creating a file policy, select Put in review for admin
B. When creating a file policy, select Put in admin quarantine
A company uses Azure Sentinel. You need to create an automated threat response. What should you use? A. a data connector B. a playbook C. a workbook D. a Microsoft incident creation rule
B. a playbook
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed. You need to mitigate the following device threats: ✑ Microsoft Excel macros that download scripts from untrusted websites ✑ Users that open executable attachments in Microsoft Outlook ✑ Outlook rules and forms exploits What should you use? A. Microsoft Defender Antivirus B. attack surface reduction rules in Microsoft Defender for Endpoint C. Windows Defender Firewall D. adaptive application control in Azure Defender
B. attack surface reduction rules in Microsoft Defender for Endpoint
You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day. You need to create a query that will be used to display the time chart. What should you include in the query? A. extend B. bin C. makeset D. workspace
B. bin
Your company deploys the following services: ✑ Microsoft Defender for Identity ✑ Microsoft Defender for Endpoint ✑ Microsoft Defender for Office 365 You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege. Which two roles should you assign to the analyst? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD)
B. the Active remediation actions role in Microsoft Defender for Endpoint D. the Security Reader role in Azure Active Directory (Azure AD)
You have an Azure subscription that has Microsoft Defender for Cloud enabled. You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS). You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud. What should you install first on Server1? A. the Microsoft Monitoring Agent B. the Azure Monitor agent C. the Azure Arc agent D. the Azure Pipelines agent
B. the Azure Monitor agent
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1. You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1. You need to identify which blobs were deleted. What should you review? A. the activity logs of storage1 B. the Azure Storage Analytics logs C. the alert details D. the related entities of the alert
B. the Azure Storage Analytics logs
You have five on-premises Linux servers. You have an Azure subscription that uses Microsoft Defender for Cloud. You need to use Defender for Cloud to protect the Linux servers. What should you install on the servers first? A. the Dependency agent B. the Log Analytics agent C. the Azure Connected Machine agent D. the Guest Configuration extension
B. the Log Analytics agent
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled. You need to identify all the changes made to sensitivity labels during the past seven days. What should you use? A. the Incidents blade of the Microsoft 365 Defender portal B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center C. Activity explorer in the Microsoft 365 compliance center D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal
C. Activity explorer in the Microsoft 365 compliance center
You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in. Which anomaly detection policy should you use? A. Impossible travel B. Activity from anonymous IP addresses C. Activity from infrequent country D. Malware detection Reveal Solution
C. Activity from infrequent country
What type of policy would you create in MDA to monitor employee credentials being used in another country? A. Access policy B. Session policy C. Activity policy D. Privileged accounts
C. Activity policy
You have an Azure Sentinel deployment in the East US Azure region. You create a Log Analytics workspace named LogsWest in the West US Azure region. You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to LogsWest. What should you do first? A. Deploy Azure Data Catalog to the West US Azure region. B. Modify the workspace settings of the existing Azure Sentinel deployment. C. Add Azure Sentinel to a workspace. D. Create a data connector in Azure Sentinel.
C. Add Azure Sentinel to a workspace.
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual machines that run Windows Server 2019. You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements: • Limit the maximum request time to two hours. • Limit protocols access to Remote Desktop Protocol (RDP) only. • Minimize administrative effort. What should you use? A. Azure AD Privileged Identity Management (PIM) B. Azure Policy C. Azure Bastion D. Azure Front Door
C. Azure Bastion
You have an Azure subscription that has Azure Defender enabled for all supported resource types. You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event management (SIEM) solution. To which service should you export the alerts? A. Azure Cosmos DB B. Azure Event Grid C. Azure Event Hubs D. Azure Data Lake
C. Azure Event Hubs
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365. You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters. You need to create a data loss prevention (DLP) policy to protect the sensitive documents. What should you use to detect which documents are sensitive? A. SharePoint search B. a hunting query in Microsoft 365 Defender C. Azure Information Protection D. RegEx pattern matching
C. Azure Information Protection
Which of the following is not an Attack Simulator scenario? A. Spear phishing B. Password spray C. Bitcoin mining
C. Bitcoin mining
Which of the following capabilities isn't a component of Microsoft Defender for Endpoint? A. Next generation protection B. Endpoint detection and response C. Cloud device management
C. Cloud device management
How do you protect against identity-based risks by using Azure AD Identity Protection? A. Configure an investigation policy and then remediate. B. Configure a report, remediate, and then configure a policy. C. Configure a policy, investigate by using a report, and remediate.
C. Configure a policy, investigate by using a report, and remediate.
Which one of the following apply to Microsoft Insider Risk Management policies and templates? A. Insider risk settings for Privacy and Policy Indicators can be configured to apply for a specific policy. B. Microsoft Insider Risk Management policies and templates are for malicious intent violations. C. Each policy must have a template assigned in the policy creation wizard before the policy is created.
C. Each policy must have a template assigned in the policy creation wizard before the policy is created.
You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You need to identify all the entities affected by an incident. Which tab should you use in the Microsoft 365 Defender portal? A. Investigations B. Devices C. Evidence and Response D. Alerts
C. Evidence and Response
The security operations analyst has found an interesting event, what should be done to mark it for further review? A. Tag B. Highlight C. Flag
C. Flag
You want to search for insider risk alerts that occurred in the past 30 days and are high severity risks. The easiest way to accomplish this is to do which of the following? A. From the Alerts dashboard search for "last 30 days. B. Click "Export" to download a CSV file with all alerts. Import this into Excel and use the filter function. C. From the Alerts dashboard, select the Filter control.
C. From the Alerts dashboard, select the Filter control.
You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector. While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query. By which two components can you group alerts into incidents? Each correct answer presents a complete solution. A. user B. resource group C. IP address D. computer
C. IP address D. computer
Which of the following is not a supported integration for Microsoft Defender for Identity? A. Microsoft Defender for Endpoint B. Microsoft Defender for Cloud Apps C. Intune
C. Intune
When you're reviewing a specific incident, which tab is contained on the incident page? A. Networks B. Non-Azure Machines C. Mailboxes
C. Mailboxes
You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured. You need to identify the impacted entities in an aggregated alert. What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center? A. the Events tab of the alert B. the Sensitive Info Types tab of the alert C. Management log D. the Details tab of the alert
C. Management log
You have an Azure subscription that uses Microsoft Defender for Cloud. You need to filter the security alerts view to show the following alerts: • Unusual user accessed a key vault • Log on from an unusual location • Impossible travel activity Which severity should you use? A. Informational B. Low C. Medium D. High
C. Medium
The Devices page shows information from which Defender product? A. Microsoft Cloud App Security B. Microsoft Defender for Identity C. Microsoft Defender for Endpoint
C. Microsoft Defender for Endpoint
Which Microsoft 365 Defender solution can detect a phishing email? A. Microsoft Defender for Identity B. Microsoft Defender for Endpoint C. Microsoft Defender for Office 365
C. Microsoft Defender for Office 365
Your company has an on-premises network that uses Microsoft Defender for Identity. The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation. You need remediate the security risk. What should you do? A. Disable legacy protocols on the computers listed as exposed entities. B. Enforce LDAP signing on the computers listed as exposed entities. C. Modify the properties of the computer objects listed as exposed entities. D. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.
C. Modify the properties of the computer objects listed as exposed entities.
You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning enabled. You need to create a custom alert suppression rule that will suppress false positive alerts for suspicious use of PowerShell on VM1.What should you do first? A. From Azure Security Center, add a workflow automation. B. On VM1, run the Get-MPThreatCatalog cmdlet. C. On VM1 trigger a PowerShell alert. D. From Azure Security Center, export the alerts to a Log Analytics workspace.
C. On VM1 trigger a PowerShell alert.
Your company uses Azure Security Center and Azure Defender. The security operations team at the company informs you that it does NOT receive email notifications for security alerts. What should you configure in Security Center to enable the email notifications? A. Security solutions B. Security policy C. Pricing & settings D. Security alerts E. Azure Defender
C. Pricing & settings
Which of these is a feature of Conditional Access App Control policies? A. Remote access B. Require multi-factor authentication C. Protect on download
C. Protect on download
Which DLP component is used to classify a document? A. Sensitive info types B. Retention Policy C. Sensitivity label
C. Sensitivity label
You create a new policy by stepping through the policy wizard and policy settings. Which of the following is optional when creating a new policy? A. The users or groups the policy will apply to B. Alert indicators C. Specify content to prioritize
C. Specify content to prioritize
A Windows 10 Device doesn't appear in the device list, what could be the problem? A. The Device was renamed. B. The Device is missing the latest KBs C. The Device hasn't had alerts in the past 30 days.
C. The Device hasn't had alerts in the past 30 days.
How can you get an at-a-glance overview of the kinds of apps are being used within your organization? A. Use Azure Information Protection B. Use Conditional Access C. Use the Cloud Discovery Dashboard
C. Use the Cloud Discovery Dashboard
You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines. You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements: - Minimize administrative effort. - Minimize the parsing required to read fog data. What should you configure? A. a Log Analytics Data Collector API B. REST API integration C. a Common Evert Format (CEF) connector D. a Syslog connector
C. a Common Evert Format (CEF) connector
You receive a security bulletin about a potential attack that uses an image file. You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack. Which indicator type should you use? A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a file hash indicator that has Action set to Alert and block D. a certificate indicator that has Action set to Alert and block
C. a file hash indicator that has Action set to Alert and block
Your company has a single office in Istanbul and a Microsoft 365 subscription. The company plans to use conditional access policies to enforce multi-factor authentication (MFA).You need to enforce MFA for all users who work remotely. What should you include in the solution? A. a fraud alert B. a user risk policy C. a named location D. a sign-in user policy
C. a named location
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online. You delete users from the subscription. You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted. What should you use? A. a file policy in Microsoft Defender for Cloud Apps B. an access review policy C. an alert policy in Microsoft Defender for Office 365 D. an insider risk policy
C. an alert policy in Microsoft Defender for Office 365
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center. You need to create a query that will be used to display a bar graph. What should you include in the query? A. extend B. bin C. count D. workspace
C. count
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries. You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort. What should you use to create the visuals? A. plotly B. TensorFlow C. msticpy D. matplotlib
C. msticpy
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices. A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents. You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning. What should you include in the recommendation? A. built-in queries B. livestream C. notebooks D. bookmarks
C. notebooks
You have a Microsoft 365 subscription that uses Azure Defender. You have 100 virtual machines in a resource group named RG1. You assign the Security Admin roles to a new user named SecAdmin1. You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of least privilege. Which role should you assign to SecAdmin1? A. the Security Reader role for the subscription B. the Contributor for the subscription C. the Contributor role for RG1 D. the Owner role for RG1
C. the Contributor role for RG1
You have a playbook in Azure Sentinel. When you trigger the playbook, it sends an email to a distribution group. You need to modify the playbook to send the email to the owner of the resource instead of the distribution group. What should you do? A. Add a parameter and modify the trigger. B. Add a custom data connector and modify the trigger. C. Add a condition and modify the action. D. Add a parameter and modify the action.
D. Add a parameter and modify the action.
You are investigating an incident in Azure Sentinel that contains more than 127 alerts. You discover eight alerts in the incident that require further investigation. You need to escalate the alerts to another Azure Sentinel administrator. What should you do to provide the alerts to the administrator? A. Create a Microsoft incident creation rule B. Share the incident URL C. Create a scheduled query rule D. Assign the incident
D. Assign the incident
If you're hunting in Sentinel and come across results you want to use later, what would you use to save them for later? A. Notebook B. Livestream C. Analytics rule D. Bookmark
D. Bookmark
You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of confidential files. Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant. B. Select Investigate files, and then filter App to Office 365. C. Select Investigate files, and then select New policy from search. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring. F. Select Investigate files, and then filter File Type to Document.
D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring.
You have an Azure Sentinel workspace. You need to test a playbook manually in the Azure portal. From where can you run the test in Azure Sentinel? A. Playbooks B. Analytics C. Threat intelligence D. Incidents
D. Incidents
You have a custom analytics rule to detect threats in Azure Sentinel. You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED. What is a possible cause of the issue? A. There are connectivity issues between the data sources and Log Analytics. B. The number of alerts exceeded 10,000 within two minutes. C. The rule query takes too long to run and times out. D. Permissions to one of the data sources of the rule query were modified.
D. Permissions to one of the data sources of the rule query were modified.
From Azure Sentinel, you open the Investigation pane for a high-severity incident. If you hover over the VM you can view _____: A. The inbound network security group (NSG) rules. B. The last five Windows security log events. C. The open ports on the host. D. The running processes.
D. The running processes.
From Azure Sentinel, you open the Investigation pane for a high-severity incident. if you select _____ you can view the items related to the incident. A. Entities B. Info C. Insights D. Timeline
D. Timeline
You have an Azure subscription that contains a Microsoft Sentinel workspace. You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert. What should you create first? A. a trigger in Azure Functions B. an Azure logic app C. a hunting query in Microsoft Sentinel D. an automation rule in Microsoft Sentinel
D. an automation rule in Microsoft Sentinel
You have 100 Azure subscriptions that have enhanced security features in Microsoft Defender for Cloud enabled. All the subscriptions are inked to a single Azure Active Directory (Azure AD) tenant. You need to stream the Defender for Cloud logs to a syslog server. The solution must minimize administrative effort. What should you do? Exports logs to a: Configure streaming by:
Exports logs to a: Azure event hubs Configure streaming by: Creating an Azure Policy assignment at the root of the management group.
You have an Azure subscription. You need to delegate permissions to meet the following requirements: ✑ Enable and disable Azure Defender. ✑ Apply security recommendations to resource. The solution must use the principle of least privilege. Which Azure Security Center role should you use for each requirement?
✑ Enable and disable Azure Defender: Security Admin ✑ Apply security recommendations to resource: Subscription Contributor