SC-200 Exam - Free Actual Q&As, Page 1 - ExamTopics PDF

2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 1/294
Topic 1 - Question Set 1
Question #1 Topic 1
DRAG DROP -
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and
COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
  DigitalNomad Highly Voted  1 year, 4 months ago

DeviceLogonEvents
| where DeviceName in ("CFOLaptop" , "CEOLaptop" ) and ActionType == "LogonFailed"
| summarize LogonFailures=count() by DeviceName , LogonType
This is the correct answer , I tested it .

upvoted 69 times
  Xyz_40 5 months, 2 weeks ago

I concur
upvoted 2 times
  stromnessian 1 year, 1 month ago

DigitalNomad is exactly right. Usual examtopics story (this is the 5th one I've done in the past year or so) - do your own research as many of the
answers are wrong.
upvoted 4 times
  pedromonteirozikado 1 year ago

Tested it here too, ActionType is the type of action obviously, and FailureReason is the reason why the Action failed. Then it makes no sense
compare the ActionType with FailureReason because the values will never match.
upvoted 2 times
  Startkabels 1 year, 4 months ago

If you tested it I will go with you!
upvoted 2 times
  ReffG Highly Voted  1 year, 5 months ago

I think the third box is answered wrong. ActionType == "LogonFailed" should be the correct answer.
upvoted 17 times
  altecer Most Recent  1 week, 1 day ago

On exam 2-11-2023
upvoted 1 times
  AJ2021 1 week, 5 days ago

Question in Exam today
upvoted 1 times
  gyaansastra 1 month, 2 weeks ago

Only 3 types of ActionType exist based on the schema. Try yourself with a long time range (e.g below last 14days)
DeviceLogonEvents
| where TimeGenerated >= ago(14d)
| distinct ActionType
Result:
LogonSuccess
LogonFailed
LogonAttempted
That should clear the doubts that "LogonFailed" is the correct option, not "FailureReason". Strongly suggest going through the official schema and
the actual query for validation.
upvoted 4 times
  Apocalypse03 2 months ago

The correct answer is:
DeviceLogonEvents
| where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and
ActionType == FailureReason
|s summarize LogonFailures=count () by DeviceName, LogonType
Here is a brief explanation of how this query works:
The DeviceLogonEvents table is selected, which contains logon events for devices.
The where clause filters the events to only include those that have a DeviceName of CFOLaptop, CEOLaptop, or COOLaptop, and an ActionType of
FailureReason. This effectively filters the events to only include failed logon events from the specified devices.
The summarize clause counts the number of events that match the previous criteria, grouping the results by DeviceName and LogonType. The
count() function counts the number of events in each group, and the LogonFailures alias is used to label this count in the resulting output.
upvoted 3 times
  EricChu 1 month, 3 weeks ago

How can a reason be an action???? Action type is a reason, did you hear yourself?
upvoted 1 times
  BhanuD 3 months ago
Under DeviceLogonEvents schema, below are the ActionType values available and FailureReason is the column in the schema that can be fetched
ActionType values:
LogonAttempted
LogonFailed
LogonSuccess
and hence the answer is ActionType == 'LogonFailed' ; also a string should be mentioned in a single or double quotes
upvoted 2 times
  arunrider 4 months, 1 week ago

Tested, ActionType == LogonFailed
upvoted 3 times
  Pandaguo 10 months, 2 weeks ago

DeviceLogonEvents
|where Devicename in ("CFOlaptops", "CEOLaptop") and ActionType == "LogonFailed"
|summarize LoginFailures=count() by DeviceName, LogonType
upvoted 3 times
  oreoale 10 months, 4 weeks ago

See DeviceLogonEvents options -> https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/devicelogonevents
upvoted 4 times
  chaska 11 months ago

Answer is correct
DeviceLogonEvents
| where DeviceName in ("CFOLaptop","CEOLaptop","COOLaptop") and ActionType == FailureReason
| summarize count() by DeviceName, LogonType,TimeGenerated
As far as I know ActionType contains only LogonSuccess, LogonAttempted and empty value.
Empty value in same rows in columns ActionType and FailureReason means failed sign-in authentications.
upvoted 3 times
  Badr_j 11 months, 1 week ago

ActionType == "LogonFailed" is the correct option,
upvoted 4 times

Funny facts, on the official practice test from MeasureUp, the correct answer is ActionType == FailureReason, but that's the wrong answer...
upvoted 3 times

ActionType == "LogonFailed" is the correct option, always test the queries and check by yourself.
upvoted 4 times

What DigitalNomad said, 100%.
upvoted 2 times
  Daigo 1 year, 3 months ago

Hi,
What is the correct answer?

upvoted 1 times
  AlaReAla 1 year, 4 months ago

FailureReason itself is a parameter, so it cannot be equated (compared) to ActionType, so it should be equated to "LogonFailed". You may refer
below link to get a flavour of the parameter:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide
upvoted 5 times
Question #2 Topic 1
You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to
sign in.
Which anomaly detection policy should you use?
A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
Community vote distribution

C (100%)
  TheMCT Highly Voted  1 year, 10 months ago

Given Answer, C, is correct
upvoted 30 times

Agree, I work with these policies daily
upvoted 5 times
  prabhjot 1 year, 1 month ago

this is correct as explained here also - https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts
upvoted 4 times
  teehex Highly Voted  1 year, 9 months ago

Activity from infrequent country is the correct answer.
First, both "Impossible travel" and "Activity from infrequent country" are detection rule that help prevent breaches from foreign attackers.
The difference between the rule is the type of historical data. "Impossible travel" actually compares between the new location's sign-in with the last
known one. So it basically means if someone already logged into a location (corporate network with USA-based IP range) and now he is logged
into a China network then it is likely the user is compromised (assume the organization doesn't have any traffic/record/association with China
network). Moreover it is based on geographically distant locations within a time period shorter. So in my example China is too far from USA.
"Activity from infrequent country" is a bit different. Instead of comparing with the last known location, it detects if an account is logged in from a
country that has never been accessed by any user in the organization. This rule is based on user behavior using entity behavioral analytics and
machine learning.
upvoted 28 times
  teehex 1 year, 9 months ago

In addition to my explanation:
- Impossible travel often looks into one sign-in attempt from TWO different geo-based location.
- Activity from infrequent country often looks into a location that no one ever used. So basically it just perform a check among all historical
locations and does the comparison.
upvoted 9 times
  dandirindan 9 months, 2 weeks ago

great explanation
upvoted 2 times

On exam 2-11-2023
upvoted 1 times
  CarlosE 1 week, 6 days ago

Selected Answer: C
C is correct
upvoted 1 times
  emmanuelodenyire 2 weeks, 4 days ago

Selected Answer: C
I will go with C
upvoted 1 times
  albd 1 month, 4 weeks ago
In exam today (23 dec 2022)
upvoted 3 times
  simonseztech 6 months ago

Selected Answer: C
https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts
upvoted 1 times

C is right
upvoted 1 times
  Tx4free 11 months, 3 weeks ago

Selected Answer: C
C is correct
upvoted 1 times
  ubt 1 year ago

Selected Answer: C
Activity from infrequent country
This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about
previous locations used by users in the organization. An alert is triggered when an activity occurs from a location that wasn't recently or never
visited by any user in the organization.
upvoted 1 times
  Minghon 1 year, 1 month ago

Selected Answer: C
Activity from infrequent country
This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about
previous locations used by users in the organization. An alert is triggered when an activity occurs from a location that wasn't recently or never
visited by any user in the organization.
upvoted 1 times
  airairo 1 year, 6 months ago

the updated question is
You are configuring Microsoft Cloud App Security.

You have a custom threat detection policy based on the IP address ranges of your company's United States - based offices. You receive many alerts
related to impossible travel and sign - ins from risky IP addresses.
You determine that 99 % of the alerts are legitimate sign - ins from your corporate offices.
You need to prevent alerts for legitimate sign - ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Add the IP addresses to the other address range category and add a tag
B. Create an activity policy that has an exclusion for the IP addresses.
C. Increase the sensitivity level of the impossible travel anomaly detection policy
D. Override automatic data enrichment
upvoted 4 times
  airairo 1 year, 7 months ago

similar question came in the exam is
Question#67
You have a custom threat detection policy based on the IP address ranges of your company's United States - based offices. You receive many alerts
related to impossible travel and sign - ins from risky IP addresses.
You determine that 99 % of the alerts are legitimate sign - ins from your corporate offices.
You need to prevent alerts for legitimate sign - ins from known locations.
A. Add the IP addresses to the other address range category and add a tag
B. Create an activity policy that has an exclusion for the IP addresses.
C. Increase the sensitivity level of the impossible travel anomaly detection policy
D. Override automatic data enrichment
upvoted 3 times
  amsioso 4 months, 2 weeks ago

C,D
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy#impossible-travel
https://www.thirdtier.net/2021/04/05/reducing-the-number-of-false-positive-in-mcas/
upvoted 1 times
  ReffG 1 year, 5 months ago

A and D is the correct answer
upvoted 4 times
  Justy 1 year, 6 months ago

please post the answer also
upvoted 2 times
  AYap 1 year, 6 months ago

Is BC the correct answer?
upvoted 2 times
  ANDRESCB1988 1 year, 7 months ago

Activity from infrequent country is correct
upvoted 1 times
  Domza 1 year, 8 months ago

Correct
upvoted 1 times
  CAINBJJ 1 year, 8 months ago

C is a Answer corretct
Activity from a country/region that could indicate malicious activity. This policy profiles your environment and triggers alerts when activity is
detected from a location that was not recently or was never visited by any user in the organization.
Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This
can indicate a credential breach, however, it's also possible that the user's actual location is masked, for example, by using a VPN.
upvoted 1 times
  Task 1 year, 8 months ago

Correct
upvoted 1 times
Question #3 Topic 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each
consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?
A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection

D (67%) C (33%)

Azure API is the correct answer. The question is asking what you need. It is not asking you how to do it.
You must use Azure AIP as a tool for DLP. And then Regex is a way to build your pattern in case there is not any built-in sensitive pattern type that
supports your case (account number with 32 char).
So bonus the regex ^[a-zA-Z0-9]{32}$

upvoted 34 times
  ANDRESCB1988 1 year, 7 months ago

is correct!
upvoted 1 times
  ture 1 year, 6 months ago

I love the accurate answers!
upvoted 1 times
  Benkyoujin 9 months, 2 weeks ago

Is it though? https://docs.microsoft.com/en-us/exchange/security-and-compliance/data-loss-prevention/create-custom-dlp-policy The question
is poorly worded but says you have MDO, not AIP. Plus isn't AIP in scope for sc-400?
upvoted 1 times
  yaza85 3 months, 1 week ago

this is SC-200
upvoted 1 times

Agreed
upvoted 1 times
  stromnessian Highly Voted  1 year ago

Selected Answer: C
You would use both C and D, so as with many MS exam questions, toss a coin, pick your answer and hope for the best.
upvoted 8 times
  Lone__Wolf Most Recent  1 week ago

Selected Answer: D
D. RegEx pattern matching
To detect sensitive documents in SharePoint Online, you can use a RegEx (regular expression) pattern matching rule in the data loss prevention
(DLP) policy. A RegEx pattern is a sequence of characters that defines a search pattern, which can be used to match specific sequences of characters
in the documents.
In this scenario, you can use a RegEx pattern to match the customer account numbers, which consist of 32 alphanumeric characters. By using a
RegEx pattern, you can accurately identify the sensitive documents that contain the customer account numbers and take appropriate action, such
as blocking access to the documents or sending notifications to the appropriate users.
Once you have defined the RegEx pattern, you can create a DLP policy in Microsoft Defender for Office 365 that uses the pattern to detect sensitive
documents. The DLP policy can then be configured to take appropriate action, such as blocking access to the sensitive documents or sending
notifications to the appropriate users.
upvoted 1 times
  ERROR505 1 week, 1 day ago
Selected Answer: D
D. RegEx pattern matching is the best option to detect which documents contain sensitive information in this scenario. You can create a DLP policy
that uses RegEx to scan the contents of documents for the specific pattern of 32 alphanumeric characters that represent customer account
numbers. This will help identify and protect the sensitive documents in your SharePoint Online sites.
upvoted 2 times
  CarlosE 1 week, 6 days ago

Selected Answer: C
C is correct
upvoted 1 times
  RodrigoLima 3 weeks, 6 days ago

Selected Answer: D
According to Microsoft Documention:
"Microsoft Purview Compliance comes with built-in Sensitive information types like Credit Card Numbers, Bank Accounts, and more. You can also
create a custom sensitive info type matched on regular expressions, keywords, or an uploaded dictionary."
upvoted 4 times
  christoforocm 3 weeks, 6 days ago

The correct answer is the letter C
https://learn.microsoft.com/es-mx/training/modules/microsoft-cloud-app-security/classify-protect-sensitive-information
upvoted 1 times
  jrjrjrchlv 1 month, 1 week ago

Selected Answer: C
You should use C. Azure Information Protection to detect which documents are sensitive. Azure Information Protection is a data protection service
that can be used to classify and label documents, and to set up data loss prevention (DLP) policies to protect sensitive documents. It can detect
documents that contain sensitive information, such as customer account numbers, using pattern matching, machine learning, and pre-defined
rules. You can use Azure Information Protection to classify and protect documents in SharePoint Online, as well as in other file storage and
collaboration platforms.
upvoted 1 times
  TechMinerUK 1 month, 2 weeks ago

Selected Answer: D
I would say it is D as the question already states you need to make a DLP policy meaning you have chosen the technology which you are going to
use. As such the policy would involve a RegEx component in order to protect the data mentioned
Whilst you are "protecting" the data it doesn't necesarily need to be AIP, it could be DLP with the RegEx policy to prevent it being sent externally
upvoted 4 times

True, the question clearly mentioned about detection of 32 alphanumeric characters. AIP can only focus on label.
upvoted 2 times
  Theplim 1 month, 3 weeks ago

The answer is clear if the doubt is between C and D. To use the AIP you would need an Azure subscription, but the question doesn't say you have
that. So there's only one option left.
upvoted 1 times
  JMI 1 week ago

but the question clearly stated that you have a subscription, So C
upvoted 1 times
  bentaja 2 months, 1 week ago

it sounds like you want to use RegEx pattern matching to detect which documents are sensitive. RegEx, or regular expression, is a type of pattern
matching that can be used to identify specific patterns of characters in a string of text. In this case, you can use a RegEx pattern to match the 32-
character account numbers in your sensitive documents. This will allow you to create a DLP policy that can detect and protect these sensitive
documents.
upvoted 2 times
  Apocalypse03 2 months, 1 week ago

Selected Answer: D
RegEx pattern matching
upvoted 3 times
  Fodio 2 months, 2 weeks ago

Is this question still valid at this time?
upvoted 1 times
  egghead1985 2 months, 3 weeks ago

Selected Answer: D
https://learn.microsoft.com/en-us/microsoft-365/compliance/sit-regex-validators-additional-checks?view=o365-worldwide
upvoted 2 times
  ACSC 3 months ago

Selected Answer: C
Azure Information Protection (AIP) is part of Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP).
Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels.
upvoted 1 times
  Abhishek1610 3 months, 1 week ago

Selected Answer: C
You need to use Azure Information Protection
upvoted 2 times
  MILOP88 4 months ago

Selected Answer: D
https://learn.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-worldwide
upvoted 3 times
Question #4 Topic 1
Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes.
Which two commands can you run to achieve the goal? Each correct answer presents a complete solution.
A.
B.
C.
D.
Correct Answer: BC
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
  JohnAvlakiotis Highly Voted  1 year, 4 months ago

Should be A, D.
upvoted 60 times
  Metasploit 4 months, 2 weeks ago

A,D.
These are 2 complete solutions on their own. Not a step by step by step.
1) Add the rule and enable it.
2) Add the rule, set the rule to overwrite existing rules, and enable it.
"Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, use Add-MpPreference instead."
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-
worldwide#powershell
The command does not need to mention anything about block because the GUID references a Rule with already set actions.
Configuration Manager name: Block Office application from creating child processes
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?
source=recommendations&view=o365-worldwide#block-all-office-applications-from-creating-child-processes
upvoted 9 times

I echo, as the requirement is not for audit, but to prevent. So the answer should be A & D.
upvoted 11 times
  JohnAvlakiotis 1 year, 4 months ago

Agreed, link to reinforce https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?
view=o365-worldwide#powershell
upvoted 6 times

Agree, auditing doesnt prevent anything only monitors and reports
upvoted 1 times
  Haz56 Highly Voted  1 year, 2 months ago

I would say A&D as the question states "Each correct answer presents a complete solution.", so choosing one of the audit options would not be a
complete solution on its own to prevent the action
upvoted 9 times

Yes, normally we add a new audit policy with Add-MpPreference and change the policy to enabled with Set-MpPreference, but in this case, each
correct answers presents a complete solution, A&D Right, cause Set can change and create policies too, and Add-MpPreference can only add
new policies.
upvoted 2 times
  Nailik_Ms Most Recent  2 weeks, 5 days ago

Audit does not mean Blocking Question stands for "You need to prevent users from downloading and running additional payloads from the Office
VBA macros as additional child processes." Auditing something you are not implementing anything to prevent, but to gain the knowledge to later
on take the action you want to.
upvoted 2 times
  manidaredevil 2 weeks, 5 days ago

Please change the answer to A& D. as most voting counts are showing the correct answer is A & D options.
upvoted 2 times
  Atun23 4 months, 1 week ago

According to MS content this should be A and D, because the company is trying to prevent, not checking first if it will work.
Audit mode for evaluation

Use audit mode to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you
can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns,
and they might perform tasks in ways that seem similar to malware. By monitoring audit data and adding exclusions for necessary applications, you
can deploy attack surface reduction rules without reducing productivity
upvoted 2 times
  ArunRavilla 5 months ago

It is A & D. I am 100% sure.
upvoted 2 times
  Sango 6 months ago

A and D are the only logical two: Must use Set-MpPreference with Enabled and then Add-MpPreference with Enabled. Audit does not block.
upvoted 2 times
  prjreddit 7 months ago

This is 100% A,D - you want to SET the RULE (Enable) and then enable ASR.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-
worldwide#powershell
upvoted 1 times
  tarakrishna1692 7 months ago

It is A & D
upvoted 1 times
  sainfosec 7 months ago

It has to be A,D. The requirements are to prevent.
upvoted 1 times
  maf001 9 months, 1 week ago

C, D
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
Link : https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide
upvoted 4 times
  j888 9 months, 1 week ago

Yep CD. You need to set the rules to enable 1st and then follow by adding the defensive mode
upvoted 1 times
  oreoale 11 months ago

Answers are B,C. "Enable" setting does not exist. Each ASR rule contains one of four settings:
Not configured | Disabled: Disable the ASR rule
Block: Enable the ASR rule
Audit: Evaluate how the ASR rule would impact your organization if enabled
Warn: Enable the ASR rule but allow the end user to bypass the block
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide
upvoted 2 times
  oldmagic 10 months, 2 weeks ago

"ENABLE" does indeed very much so exist.
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
Correct answers are A and D

upvoted 5 times
  Contactfornitish 12 months ago

Why one would select auditmode?? A & D
upvoted 1 times
  liberty123 12 months ago

agree with A, D
upvoted 1 times
I was thinking C,D because normally we set a new policy with Add-MpPreference with audit-mode to see the effects of the policy, and after Set-
MpPreference to change policy to Enabled mode. But, the correct is A,D because the questions said "Each correct answer presents a complete
solution", so both Add-MpPreference and Set-MpPreference in Enable mode is correct, cause Set and Add can create policies, but the Set can
change policies too.
upvoted 4 times
  BubuNigeria 1 year, 1 month ago

The answers BC are correct. You can check the link below for more details.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-
worldwide#block-all-office-applications-from-creating-child-processes
upvoted 4 times
  felipe_g 1 year ago

Actually it says AD if you look into configuration article: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-
attack-surface-reduction?view=o365-worldwide
upvoted 3 times
  prabhjot 1 year, 1 month ago

yes seems very convincing point imp point is CHILD PROCESSES(You plan to enable protection against downloading and running additional
payloads from the Office VBA macros as additional child processes.)
upvoted 1 times

Is not B,C because Audit Mode policies can't block anything.
upvoted 5 times
  Jos8 1 year, 1 month ago

I've got another practice test in which the question is "You need to identify which Office VBA macros might be affected" -> The correct answer is B
and C because you just want to check the result.
In this case, correct answer is A, D because you actually want to activate the rule.
upvoted 6 times
Question #5 Topic 1
Your company uses Microsoft Defender for Endpoint.

The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's
accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
Correct Answer: BCE

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-alerts

BDE (78%) BCE (15%) 7%
  KingSize Highly Voted  1 year, 9 months ago

You can Hide or Resolve alert and all of those actions you can perform on any device or device groups or single device. But in question there is
accounting team so there will be device group.
Answer should be ABD
upvoted 35 times
  Axiomatic 1 year, 9 months ago

Totally agree with you!
upvoted 4 times

It's about the alert queue in Defender so you need to general scope for any alerts that's about the Word documents containing macros. That the
documents are often used on devices used by the Account team does not matter. It is about the document that you company uses. Also read
the article cause it reads you can either hide or resolve and to hide is clearly what is asked here. So I go for BCE.
upvoted 8 times

The documents are used on devices by the account team, the questions said to hide false positive alerts, and not all the alerts, so i think is
BDE.
upvoted 7 times
  Ashfaq2 1 year, 9 months ago

Suppression rule can not create based on Device Group
upvoted 3 times
  sasasach 2 months ago

I checked it in MS defender itself, you can create suppression rule based on device group
upvoted 1 times
  jethi 1 year, 8 months ago

Suppression rule can be created based on a device group. Verified it on the defender portal itself. Correct answer is BDE
upvoted 24 times
  AnonymousJhb 10 months, 2 weeks ago

D is wrong.
This "group" feature is only available in Suppress alerts from Microsoft Defender for Cloud.
This question context is for Manage Microsoft Defender for Endpoint alerts.
There are two contexts for a suppression rule that you can choose from:
-Suppress alert on this device
-Suppress alert in my organization
upvoted 3 times
  Metasploit 4 months, 1 week ago
BDE.
This changed. I know, not in the docs(Docs are old and not updated). I had to go to the tech community.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-
p/3562719
upvoted 3 times

Hi, may be the documentation is not updated, the scope is to select organization or user/device/device groups, as they mentioned clearly as
accounts department, device group need to be selected
upvoted 1 times
  PTIN Highly Voted  1 year, 10 months ago

Given answer BCE is correct. The question states "alerts must be hidden from queue". Automatically resolving is not correct solution as that will still
show up in the queue. Hence given answer BCE is correct
upvoted 16 times

Not A = Resolved alerts stay in Alerts queue marked as resolved.
B = You can hide alerts from the system.
C = 1.)Suppress alert on this device or 2.) Suppress alert in my organization (For MS Defender for Endpoint)
Not D = Because C
E = Because you cannot do either of the other without an alert.
upvoted 1 times

Correction: BDE
This question bugged me. The new alert suppression rules allows for much more.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-
p/3562719
upvoted 3 times

Selected Answer: BDE
Here's a brief explanation of each option:
E. Generate the alert: You need to generate the alert first so that you can see it in the Alerts queue.
B. Hide the alert: After generating the alert, you can hide it if you want to remove it from view.
D. Create a suppression rule scoped to a device group: You can also create a suppression rule scoped to a specific device group if you want to only
apply it to a specific group of devices. This helps you maintain the existing security posture.
upvoted 4 times
  emmanuelodenyire 2 weeks, 3 days ago

According to the question, I will stick with these
upvoted 2 times
  Nailik_Ms 3 weeks, 2 days ago

I think BDE is correct, I see many comments about why device group is not correct, but here are my two cents. You as administrator know and are
intended to hide the false positives due the activity of the account group, but should be alerted if that document is opened by other devices on the
company.
upvoted 1 times
  Tohar 1 month, 3 weeks ago

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719
upvoted 1 times

Generate the alert. This will trigger the alert for the detected macro in the Word document.
Hide the alert. This will prevent the alert from appearing in the Alerts queue.
Create a suppression rule scoped to a device group. This will ensure that the rule only applies to the devices of the accounting team, while
maintaining the existing security posture for other devices in the company.
upvoted 2 times

Generate the alert. This will trigger the alert for the detected macro in the Word document.
Hide the alert. This will prevent the alert from appearing in the Alerts queue.
Create a suppression rule scoped to a device group. This will ensure that the rule only applies to the devices of the accounting team, while
maintaining the existing security posture for other devices in the company.
upvoted 1 times

B - hide false positive
D - devices of the company's accounting team
E - while maintaining the existing security posture
upvoted 3 times

First Step is to Generate Alert without this cannot suppress the alert, Answer is 'Generate the Alert'
Select the scope by selecting All Organization or User/Device/Device Groups (as mentioned accounting team in the question) Answer is 'Create a
suppression rule scoped to a device group'
Action on the suppression rule (Options are Hide or Resolve) > As mentioned in the question to hide false positive, Answer is 'Hide the Alert'
upvoted 2 times
  John0153 3 months, 3 weeks ago

Selected Answer: BCE
BCE is the correct answer "Documents are used "FREQUENTLY" on the devices of accounting" this doesn't mean that it is only restricted to
accounting team
upvoted 2 times

NOT A = Resolved alerts stay in Alerts queue marked as resolved.
B = You can hide alerts from the system.
NOT C = Not best practice.
D = Because, Best practice and New alert suppression rules allow for groups and much more(The docs are still old, below is a link for evidence to
this claim)
E = Because you cannot do either of the other without an alert.

upvoted 6 times

BCE is right.
There are two contexts for a suppression rule that you can choose from:
Suppress alert on this device
Suppress alert in my organization
upvoted 2 times

"5. In the Scope section, set the Scope by selecting specific device, multiple devices, device groups, the entire organization or by user"
upvoted 1 times
  Whatsamattr81 6 months, 1 week ago

E,D,B.... in that order.
upvoted 2 times

First you need to generate the alert, or you have nothing to suppress. Then a suppression rule on those devices (not globally), then in the
suppression rule - hide the alert.
upvoted 1 times
  ealcober 6 months, 2 weeks ago

another bad answer please correct examtopics team... is there any team?
upvoted 1 times
Question #6 Topic 1
DRAG DROP -
You open the Cloud App Security portal as shown in the following exhibit.
Your environment does NOT have Microsoft Defender for Endpoint enabled.
You need to remediate the risk for the Launchpad app.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery
  hteams Highly Voted  11 months, 2 weeks ago

The "source appliance" mentioned here is the Firewall or Proxy in use. The Block script is specific to the product in use. The block is done by the
firewall / proxy . Hope this helps
you can find the screenshots at this link https://docs.microsoft.com/en-us/defender-cloud-apps/governance-discovery
upvoted 7 times
  [Removed] Highly Voted  1 year, 3 months ago

It's running script on source appliance.
https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery
upvoted 5 times
  iwhoelse Most Recent  5 days, 6 hours ago

Answer as shown is correct
upvoted 1 times
  Hami3191 7 months, 1 week ago

correct answer
upvoted 3 times
  vijeet 11 months, 2 weeks ago

If your tenant uses Microsoft Defender for Endpoint, Zscaler NSS, or iboss, any app you mark as unsanctioned is automatically blocked by Defender
for Cloud Apps, and the following sections regarding creating blocking scripts are unnecessary. For more information, see Integrate with Microsoft
Defender for Endpoint, Integrate with Zscaler, and Integrate with iboss respectively.
upvoted 3 times

The answer provided is correct.
upvoted 4 times
  cloudster998 1 year, 1 month ago

After you've reviewed the list of discovered apps in your environment, you can secure your environment by approving safe apps (Sanctioned) or
prohibiting unwanted apps (Unsanctioned) in the following ways.
upvoted 2 times
  Qadir 1 year, 4 months ago

On other websites they have mentioned as "TAG the app as sanctioned"
upvoted 1 times

I differ with your opinion. it should be Unsanction. The above URL clearly says "You can unsanction a specific risky app by clicking the three dots
at the end of the row. Unsanctioning an app doesn't block use, but enables you to more easily monitor its use with the Cloud Discovery filters."
upvoted 9 times

Somehow I still have doubts whether it should be executed on Source appliance OR Azure Cloud Shell? Any thoughts will be helpful.
upvoted 1 times
  zaqwsx 1 year, 4 months ago

I will go with the source appliance, you need to create a script to block it on the endpoint
upvoted 3 times
  felipe_g 1 year ago

But it says that Ms Defender for Endpoint is not deployed
upvoted 2 times
  Anko6116 1 week, 1 day ago

In the provided article it is stated clearly that you should run on source appliance. Section: Block apps by exporting a block script;
step 5: "Import the file created to your appliance."
https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery
upvoted 1 times
Question #7 Topic 1
HOTSPOT -
You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a malicious email attachment.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-query-emails-devices?view=o365-worldwide

EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com" //Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
Already posted here https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-

worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices
upvoted 34 times
  PJR Highly Voted  1 year, 6 months ago

The query posted on MS docs doesnt actually work (I have tested in a live tenant) - it needs to be amended to match the below before it returns
results (note the requirement to add DeviceName, and DeviceId fields to the first project statement).
EmailAttachmentInfo
| where SenderFromAddress =~ "mcasdemo@juno.com"
| join (
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
But if you choose the following from the answers presented in the question you will get the results you need to answer the question:
EmailAttachmentInfo
| where SenderFromAddress =~ "mcasdemo@juno.com"
| join (
DeviceFileEvents
| extend FileName, SHA256
) on SHA256
| project Timestamp, FileName, SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
ie Choose, Join, Extend, Project from the drop downs
This has also been tested on live tenants and returns the correct result.
upvoted 21 times
  DigitalNomad 1 year, 3 months ago

you are correct , I have tested it ,the query in the docs is correct as it contains DeviceName , DeviceId , but the one in the exam question is
missing the DeviceName , DeviceId , so the answer should be Join , Extend , Project as you mentioned , but in case the real exam question has
DeviceName , DeviceId then Join , Project , Project can be a correct answer like the example in the docs
upvoted 5 times

Well! Extend operator is for calculated columns and would followed by a custom variable name and equal to sign (something akin to let but
in context of table)
Doesn't make sense to use the same in join context
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/extendoperator
upvoted 2 times
  Contactfornitish 11 months, 4 weeks ago

Refer to topic 1 question 17 on examtopics itself for differently worded but the same query
upvoted 1 times

On exam 2-11-2023
upvoted 2 times

In Exam today (23 dec 2022)
upvoted 3 times
  FCD 3 weeks, 2 days ago

Was it Join, Extend, Project?
upvoted 2 times

The EmailAttachmentInfo table is selected, which contains information about email attachments.
The where clause filters the attachments to only include those that were sent from the address "MaliciousSender@example.com" and have a non-
empty SHA256 hash value. This effectively filters the results to only include attachments from the specified sender and that have a known hash
value.
The join operator combines the results of the previous step with the results of a second query that selects the DeviceFileEvent table and projects
the FileName and SHA256 fields. This effectively creates a join between the two tables based on the SHA256 field, linking the attachments with file
events on devices.
The project operator selects the desired fields from the joined results and includes them in the final output.
upvoted 1 times
  User_Mowgli 4 months ago

Join, Extend, Project.
upvoted 1 times
  danb67 5 months, 3 weeks ago

Correct Answer is 100% Join/Project/Project. This does not give error at all.
Why would we use extend here? Extend is for creating calculated columns and there is no requirement for this.
See https://www.examtopics.com/discussions/microsoft/view/60115-exam-sc-200-topic-1-question-17-discussion/
EmailAttachmentInfo
| where isnotempty (SHA256)
| join (DeviceFileEvents
| project FileName, SHA256)
on SHA256
| project Timestamp, NetworkMessageId, etc, etc
upvoted 1 times

Please proof test before you answer. I receive the below errors when creating the hunting query on advanced hunting page with
join,project,project. Why? because "Only the columns specified in the arguments are included in the result. Any other columns in the input are
dropped." https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectoperator. For this current query to work, "DeviceName"
and "DeviceID" need to be projected by the project within the join.
"Error message
'project' operator: Failed to resolve scalar expression named 'DeviceName'
How to resolve
Fix semantic errors in your query"
Correct answer is: Join, extend, project.

Extend can just append a column as well.
upvoted 6 times

@Metasploit is absolutely correct.
upvoted 1 times
  Shubham020 11 months ago

The correct answer is join/extend/project
This case is little different from the case given in the link below
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-
from-a-known-malicious-sender-are-on-your-devices
In this case inside join there is no DeviceName and DeviceID(in this queue), to join the column of this table we have to extend it.
I tested this in live environment with join, project, project, it gives an error. Join, extend, project just says no results found and if I change the sender
email address I'm getting results.
upvoted 4 times

join / project / project is correct
upvoted 2 times
  Pravda 1 year, 1 month ago

This question is from MS documentation. join/project/project
upvoted 4 times
  Bobnoxious 1 year, 1 month ago

reading this discussion, trying to figure out if you guys are trying to pass teh test or get teh answer right. I want to pass the test, even if the
answers seem insufficient. Help me make sense of the discussion. Thanks
upvoted 4 times
  Nail 1 year, 2 months ago

Join, Extend, Project. If I try join, project, project, it gives an error. Join, extend, project just says no results found.
upvoted 3 times
  Ema69 1 year, 4 months ago

join / project / project
upvoted 7 times

Correct answer
upvoted 2 times
Question #8 Topic 1
You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.
Correct Answer: AE
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules

AE (94%) 6%

Correct query is
DeviceProcessEvents
| where Timestamp > ago (24h)
//Pivoting for rundll32
| where InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
| project Timestamp, AccountName, ProcessCommandLine, DeviceId, ReportId
Given answer is correct.

- Create detection rule
- Add ReportId and DeviceId to the output. Both fields are supported in DeviceProcessEvents table.(https://docs.microsoft.com/en-us/microsoft-
365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide)
The sample query can be found here https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-find-ransomware?

view=o365-worldwide#turning-off-system-restore
upvoted 32 times
  ArciOfficial Highly Voted  1 year, 7 months ago

Given answer is CORRECT:
According to the link below, DeviceID and ReportID are REQUIRED columns for any custom query.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide#suppress-an-alert-and-create-
a-new-suppression-rule
upvoted 6 times
  Apocalypse03 Most Recent  2 months ago

Selected Answer: AD
Create a detection rule: A detection rule is a configuration in Microsoft 365 Defender that specifies the conditions under which an alert should be
generated. You can create a detection rule based on the advanced hunting query provided, which will trigger an alert whenever the query returns
any results.
Add DeviceId and ReportId to the output of the query: In order to include relevant information about the device and alert in the generated alert,
you should include the DeviceId and ReportId fields in the output of the query. You can do this by adding DeviceId and ReportId to the list of fields
selected by the project operator at the end of the query.
upvoted 1 times
Selected Answer: AE
A = Requirement is to create an alert.
Not B = This will hide the the alert.
Not C = Avoid filtering custom detections using the Timestamp column. The data used for custom detections is pre-filtered based on the detection
frequency.
Not D = Random filler answer
E = To create a custom detection rule, the query must return the following columns:
->Timestamp—used to set the timestamp for generated alerts
->ReportId—enables lookups for the original records
One of the following columns that identify specific devices, users, or mailboxes:
-> DeviceId
upvoted 3 times
  Fukacz 5 months, 1 week ago

Selected Answer: AE
correct
upvoted 1 times

Selected Answer: AE
Best answer
upvoted 2 times
  liberty123 1 year ago

Selected Answer: AE
Agree with AE
upvoted 3 times
  stromnessian 1 year ago

Selected Answer: AE
Simples.
upvoted 4 times

Selected Answer: AE
AE is correct
upvoted 3 times
  Hacker00 1 year, 2 months ago

Given answer is correct
upvoted 2 times

Correct answer
upvoted 1 times
  Dante404 1 year, 10 months ago

Why not order by timestamp?
upvoted 2 times
  piceknick 1 year, 9 months ago

It's not changing anything - it's already filtered by timestamp >24h
upvoted 2 times
Question #9 Topic 1
You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly sensitive information.
You plan to perform automated actions on all devices.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Assign a tag to the device group.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.
Correct Answer: ACD

Reference:
https://docs.microsoft.com/en-us/learn/modules/deploy-microsoft-defender-for-endpoints-environment/4-manage-access

ACD (97%)
  Metasploit Highly Voted  4 months ago

Selected Answer: ACD
Setting the scene:
There are 3 device groups.
You want to take action on all devices. Meaning you want 1(One) Device group with all devices.
--> A: So you create this custom group(AllDeviceTempGroup) and add a Tag filter(RansomIRTag) to group devices into this device group.
You see that there are no devices in this group. Why? You have not tagged your devices yet.
--> B: You add the tag, RansomIRTag, to all devices.

You notice that your devices have not populated your new device group, AllDeviceTempGroup. Why?
In the details of the question, you are informed that these devices already have a group. Which means if your group is not promoted to highest
rank, then the devices will choose their original group instead.
-->C: Promote AllDeviceTempGroup to highest rank.

upvoted 24 times
  DaraVasu 1 week ago

Great explanation
upvoted 1 times
  Wutan 1 month ago

This is so well explained and in depth, thank you so much.
upvoted 1 times
  Hamatew 1 month, 2 weeks ago

Thanks for the explanation. Probably i skipped some aspect while studying, i have this question, Assuming i have 100s of device how can i tag
all at once. I need to give RansomIRtag to 100 device, will i start adding one by one?
upvoted 1 times
  Metasploit 4 months ago

Answer is ACD. My brain listed the answers in order of 1,2,3,a,b,c while I typed.
upvoted 5 times
  Ken88 Highly Voted  11 months, 2 weeks ago

Admin role is not required.
Given answer:ACD is correct
upvoted 8 times
  Kanguro007 Most Recent  1 month, 2 weeks ago

https://www.drware.com/how-to-use-tagging-effectively-in-microsoft-defender-for-endpoint-part-1/
upvoted 1 times
  Hamatew 1 month, 2 weeks ago
Thanks for the explanation. Probably i skipped some aspect while studying, i have this question, Assuming i have 100s of devices how can i tag all
at once. I need to give RansomIRtag to 100 devices, will i start adding one by one?
upvoted 1 times

Best answer
upvoted 1 times

Selected Answer: ACE
Best answer
upvoted 1 times

ACD correct
upvoted 2 times

ACD. No admin role is required in the scenario given (automated), and obviously the rank needs to be 1, not 4 for the group that contains the
tagged devices.
upvoted 2 times
  RandomNickname 1 year, 1 month ago

Think given answer is correct, but not 100%.
C: Tag all machines ( as requested ), to ensure they can be grouped temporarily.
A: Add the tagged machines to the group to be able to perform automated actions on all.
D: Ensure has rank of 1, so given tagged machines are added, in case of devices match other groups.
upvoted 7 times
  Mastersin 1 year, 2 months ago

BDE
https://docs.microsoft.com/en-us/learn/modules/deploy-microsoft-defender-for-endpoints-environment/6-configure-device-groups
upvoted 3 times

As far as I can tell, you can't assign tag to a device group, only devices. And why would you need to assign tags to both devices and device groups?
So I think the answer must be CDE.
upvoted 2 times

On second thought, I think this answer is correct, ACD. You would add the tag to the devices, then assign the tag to the device group to create a
group based on the tags, and then rank it #1 so it takes precedence over the other groups.
upvoted 11 times
  kakakayayaya 1 year, 4 months ago

Correct answer but reference is not so useful.
upvoted 1 times

Watch the video in the reference. The video explains this answer 100%. ACD.
upvoted 1 times
Question #10 Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: From Entity tags, you add the accounts as Honeytoken accounts.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts

A (100%)
  kwach Highly Voted  1 year, 10 months ago

correct answer is A:
upvoted 8 times
  Tx4free Highly Voted  11 months, 2 weeks ago

Selected Answer: A
Best answer
upvoted 5 times

On exam 2-11-2023
upvoted 1 times

Correct answer
upvoted 3 times
Solution: From Azure AD Identity Protection, you configure the sign-in risk policy.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)
  Task Highly Voted  1 year, 8 months ago

Correct
upvoted 6 times

On exam 2-11-2023
upvoted 1 times

Selected Answer: B
Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert.
Settings>Identities>Entity tags>Honey Token> Add Users or Devices

upvoted 2 times

Selected Answer: B
Correct answer
upvoted 3 times
Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)

Selected Answer: B
This is what honeytoken accounts are meant for (i.e. dormant accounts that generate alerts if accessed). Sensitivity tags are meant for active users
and groups.
upvoted 6 times

On exam 2-11-2023
upvoted 1 times
  Taisuke 5 months, 3 weeks ago

Selected Answer: B
Best answer.
upvoted 1 times

Selected Answer: B
Best answer
upvoted 4 times
  sunnybb269 12 months ago

Selected Answer: B
Correct answer
upvoted 3 times
  cloudster998 1 year, 1 month ago

Manually tagging entities
You can also manually tag entities as sensitive or honeytoken accounts. If you manually tag additional users or groups, such as board members,
company executives, and sales directors, Defender for Identity will consider them sensitive.
upvoted 3 times
  PLhiro 1 year, 1 month ago

Why B?
upvoted 1 times

B = No
The URL you posted is the answer to your question. Lookup HoneyToken Accounts. :)
"... you need to configure several accounts for attackers to exploit."

upvoted 1 times

Correct
upvoted 2 times
You implement Safe Attachments policies in Microsoft Defender for Office 365.
Users report that email messages containing attachments take longer than expected to be received.
You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments
must be scanned for malware, and any messages that contain malware must be blocked.
What should you configure in the Safe Attachments policies?
A. Dynamic Delivery
B. Replace
C. Block and Enable redirect
D. Monitor and Enable redirect
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide

A (100%)
  jasonfmj Highly Voted  1 year, 6 months ago

Correct
Dynamic Delivery Delivers messages immediately, but replaces attachments with placeholders until Safe Attachments scanning is complete.
For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.
Avoid message delays while protecting recipients from malicious files.

Enable recipients to preview attachments in safe mode while scanning is taking place.
upvoted 31 times
  AJ2021 Most Recent  1 week, 5 days ago

upvoted 2 times

Selected Answer: A
To reduce the amount of time it takes to deliver email messages that contain attachments while still scanning the attachments for malware and
blocking any messages that contain malware, you should configure the Safe Attachments policies to use the "Dynamic Delivery" option.
Dynamic Delivery is a feature in Microsoft Defender for Office 365 that allows you to optimize the delivery of email messages containing
attachments by scanning the attachments for malware before they are delivered to the recipient's mailbox. This allows you to quickly deliver
messages that are deemed safe while still protecting against malware threats.
To configure the Safe Attachments policies to use Dynamic Delivery, you can go to the Mail flow > Safe attachments policies page in the Microsoft
365 admin center and select the "Dynamic Delivery" option for each policy.
Options B, C, and D are not relevant to reducing the delivery time for email messages with attachments and do not provide the same level of
protection against malware threats as Dynamic Delivery.
upvoted 1 times
  kovora 3 months, 4 weeks ago

Correct Answer is A
upvoted 1 times
  bluegeek 6 months ago

Selected Answer: A
Correct answer
upvoted 2 times
  eveyklel 8 months, 1 week ago

Correct
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide#dynamic-delivery-in-safe-
attachments-policies
upvoted 1 times
  M0809 10 months, 1 week ago

Dynamic Delivery Correct!
upvoted 2 times
  TomG 11 months, 1 week ago

Selected Answer: A
Correct Answer is A
upvoted 3 times

Selected Answer: A
Correct answer
upvoted 3 times

Selected Answer: A
Badly worded question but that's all part of the MS exam experience.
upvoted 4 times
HOTSPOT -
You are informed of an increase in malicious email being received by users.
You need to create an advanced hunting query in Microsoft 365 Defender to identify whether the accounts of the email recipients were
compromised. The query must return the most recent 20 sign-ins performed by the recipients within an hour of receiving the known malicious
email.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
  pedromonteirozikado Highly Voted  1 year ago

The first answer "EmailEvents" is right because only EmailEvents table have the Subject column, but both EmailEvents and EmailAttachmentInfo
have the ThreatType table (old MalwareFilterVerdict).
The second answer: IdentityLogonEvents, is right, because is the only table that have identity objects related.
The third answer: take 20, according to MS "here is no guarantee which records are returned, unless the source data is sorted.", "take and limit are
synonyms".
I tested by myself, and the only query that return the latest results was: top 20 by Timestamp, because only "top 20" didn't work.
upvoted 23 times
  jasonfmj Highly Voted  1 year, 6 months ago
//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10
upvoted 9 times

On exam 2-11-2023
upvoted 2 times
  Ramkid 1 month, 1 week ago

Given Answer is correct, check the following page that has this query under the section "Review logon attempts after receipt of malicious emails"
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#review-logon-
attempts-after-receipt-of-malicious-emails
upvoted 4 times

upvoted 3 times

Correct. Take 20 is equal to top 20 by timestamp here.
upvoted 3 times
  Roy2022 5 months, 1 week ago

So what is the correct answer??
upvoted 1 times
  oreoale 11 months ago

The answer is correct. Here is an example: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-
devices?view=o365-worldwide#review-logon-attempts-after-receipt-of-malicious-emails
//Define new table for malicious emails

let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10
upvoted 4 times
  its_me_Nat 11 months, 2 weeks ago

take 20 is correct if you need to select most recent logins.
upvoted 1 times
  jetodo7615 1 year, 1 month ago

Answer is correct, but the solution is incomplete, as the results needs to be sorted before "take" command (most recent logons). "Top" is not an
option here as it needs "by" argument to be correct.
upvoted 5 times

Believe given answer to be correct
upvoted 3 times
  ReginaldoBarreto 1 year, 2 months ago
take operator
There is no guarantee which records are returned, unless the source data is sorted.
------------------------
for this query the correct would not use top ?
Since they ask for recent records
upvoted 3 times

Yes, | top 20 by Timestamp
upvoted 3 times
  zedricko 1 year, 2 months ago

I guess so top should be used in this case
upvoted 2 times
  j888 10 months ago

As per 'Pedromonteirozikado' it is missing "by Timestamp" statement. So the given answer is correct.
upvoted 1 times

Question is outdated.
In February 2021 in the EmailAttachmentInfo and EmailEvents tables, the MalwareFilterVerdict and PhishFilterVerdict columns have been replaced
by the ThreatTypes column.
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-changes?view=o365-worldwide
upvoted 6 times

Yes! The first answer "EmailEvents" is right because only EmailEvents table have the Subject column, but both EmailEvents and
EmailAttachmentInfo have the ThreatType table (old MalwareFilterVerdict).
The second answer: IdentityLogonEvents, is right, because is the only table that have identity objects related.
The third answer: take 20, according to MS "here is no guarantee which records are returned, unless the source data is sorted.", "take and limit
are synonyms".
I tested by myself, and the only query that return the latest results was: top 20 by Timestamp, because only "top 20" didn't work.
upvoted 3 times
You receive a security bulletin about a potential attack that uses an image file.
You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack.
Which indicator type should you use?
A. a URL/domain indicator that has Action set to Alert only
B. a URL/domain indicator that has Action set to Alert and block
C. a file hash indicator that has Action set to Alert and block
D. a certificate indicator that has Action set to Alert and block
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide

C (100%)
  HSBNZ Highly Voted  1 year, 6 months ago

The correct answer it seems like, as steps for to Create an indicator for files from the settings page
1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
2. Select the File hashes tab.
3. Select Add indicator.
4. Specify the following details:
5. Indicator - Specify the entity details and define the expiration of the indicator.
* Action - Specify the action to be taken and provide a description.
* Scope - Define the scope of the device group.
* Review the details in the Summary tab, then select Save.
upvoted 17 times
  kamun1st Most Recent  2 months ago

Selected Answer: C
correct
upvoted 1 times

Selected Answer: C
Correct answer
upvoted 4 times
Your company deploys the following services:

✑ Microsoft Defender for Identity
✑ Microsoft Defender for Endpoint
✑ Microsoft Defender for Office 365
You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject
pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege.
Which two roles should assign to the analyst? Each correct answer presents part of the solution.
A. the Compliance Data Administrator in Azure Active Directory (Azure AD)
B. the Active remediation actions role in Microsoft Defender for Endpoint
C. the Security Administrator role in Azure Active Directory (Azure AD)
D. the Security Reader role in Azure Active Directory (Azure AD)
Correct Answer: BD
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide

BD (100%)
  PhilAus Highly Voted  1 year, 5 months ago

Provided answer B and D is correct.
Security Reader - can access M365 Security Center.
Active Remediation Actions role in Defender for Endpoint meets need to 'approve and reject' pending actions with respect to Defender For
Endpoint.
Requirement does not need more.
upvoted 16 times
  Metasploit Most Recent  4 months ago

Selected Answer: BD
This question is tricky.
If you follow the question directly, they are not asking either/or. They want you to assign 2 roles to the Analyst each being half of the entire
solution. Using least privileges the answer should be BD.
Not A = Too many other permissions not needed.

B = the Active remediation actions role in Microsoft Defender for Endpoint is enough for the task to be done of approving/rejecting pending
actions.
Not C = Would be able to fulfill both B and D and (more), not least privilege.
D = Quite redundant, but gives reader roles read access to the portal up until RBAC is turned on the defender permissions. Least Privilege. ¯\_(ツ)_/
¯
upvoted 4 times

Selected Answer: BD
Given answers are correct
upvoted 2 times

Selected Answer: BD
Correct answer
upvoted 2 times

Selected Answer: BD
B and D is correct
upvoted 2 times
  Andreew883 1 year, 1 month ago

B and D are correct. Minimum privilege is requested. The other two options are for administrators.
upvoted 3 times

Active remediation actions role in MDE portal is enough for approve and reject pending actions generated by Microsoft Defender for Endpoint.
As soon as you enable Active remediation actions role, Security Reader role is not work in MDE portal. If you don't enable RBAC in MDE portal you
can use Security Reader to access.
upvoted 3 times
  TOMtheBOMB 1 year, 4 months ago

Slight confused by this one, this link suggests the answer is B & C:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/m365d-action-center?view=o365-worldwide
Remediation action:
Microsoft Defender for Endpoint remediation (devices)
Required roles and permissions:

Security Administrator role assigned in either Azure Active Directory (Azure AD) (https://portal.azure.com) or the Microsoft 365 admin center
(https://admin.microsoft.com)
--- or ---
Active remediation actions role assigned in Microsoft Defender for Endpoint
upvoted 4 times

BC is the correct answer. in D, he would not be able to perform anything but just to view
upvoted 1 times

Option C will not follow the least prervilige principle. Further, this role is more for administration stuff like editing or deleting roles etc.
Checkout the below URL for more info:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/user-roles?view=o365-worldwide
upvoted 4 times
  jasonfmj 1 year, 6 months ago

Answer is B and C
Security Reader: A user that belongs to this role has viewing rights to Security Center. The user can view recommendations, alerts, a security policy,
and security states, but cannot make changes.
Security Admin: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss
alerts and recommendations.
https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions
upvoted 3 times
  Harold_Finch 8 months ago

Not C - Using principle of least privileges, B & D would be the right choices.
upvoted 1 times
  HSBNZ 1 year, 6 months ago

Please don't approve this and the previous comment here on this question, as it is a mistake. Meant to comment on the above question. Ta.
upvoted 1 times

The correct answer it is seems like, as steps for to Create an indicator for files from the settings page
1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
2. Select the File hashes tab.
3. Select Add indicator.
4. Specify the following details:
5. Indicator - Specify the entity details and define the expiration of the indicator.
* Action - Specify the action to be taken and provide a description.
* Scope - Define the scope of the device group.
* Review the details in the Summary tab, then select Save.
upvoted 1 times
HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel.
You need to identify all the devices that contain files in emails sent by a known malicious email sender. The query will be based on the match of
the SHA256 hash.
Hot Area:
Correct Answer:
Reference:

Correct answer as per the link, EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
//Get emails with attachments identified by a SHA-256
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
upvoted 27 times

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-
files-from-a-known-malicious-sender-are-on-your-devices
upvoted 3 times
  Apocalypse03 Highly Voted  2 months ago

Answer is correct.
Here is a brief explanation of how this query works:
The where clause filters the EmailAttachmentInfo table to only include attachments sent by the specified sender and that have a non-empty
SHA256 hash value. This effectively filters the results to only include attachments from the specified sender and that have a known hash value.
The join operator combines the results of the previous step with the results of a second query that selects the DeviceFileEvent table and projects
the FileName, SHA256, DeviceName, and DeviceId fields. This effectively creates a join between the two tables based on the SHA256 field, linking
the attachments with file events on devices.
The project operator selects the desired fields from the joined results and includes them in the final output.
This query will work in both Microsoft Defender and Azure Sentinel, as it is a valid advanced hunting query in both platforms.
upvoted 10 times
You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of
confidential files.
Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution.
A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information
Protection classification labels and content inspection warnings from this tenant.
B. Select Investigate files, and then filter App to Office 365.
C. Select Investigate files, and then select New policy from search.
D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure
Information Protection classification labels and content inspection warnings.
E. From Settings, select Information Protection, select Files, and then enable file monitoring.
F. Select Investigate files, and then filter File Type to Document.
Correct Answer: DE
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp https://docs.microsoft.com/en-us/cloud-app-security/azip-integration

DE (78%) CE (19%) 4%
  liberty123 Highly Voted  1 year ago

Selected Answer: DE
DE is correct , I have seen these configurations in Microsoft Learning video:
https://www.microsoft.com/en-us/videoplayer/embed/RE4CMYG?postJsllMsg=true
upvoted 12 times
  palito1980 Most Recent  1 month ago

Selected Answer: DE
D:
Settings>Information Protection>Microsoft Information Protection>Automatically scan new files for Microsoft Information Protection classification
labels and content inspection warnings.
E:
Settings>Information Protection>Files>Enable file monitoring.
upvoted 1 times
  Locian 1 month, 1 week ago

D and E to achieve both outcomes
upvoted 1 times
  jrjrjrchlv 1 month, 1 week ago

Selected Answer: DE
D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure
Information Protection classification labels and content inspection warnings. This will enable Cloud App Security to automatically scan new files for
Azure Information Protection classification labels and content inspection warnings, which can be used to detect and protect confidential files.
E. From Settings, select Information Protection, select Files, and then enable file monitoring. This will enable Cloud App Security to monitor files for
external sharing and other activities, and to generate alerts and trigger remediation actions in response to potential threats or policy violations.
upvoted 1 times
  Tagwa 1 month, 2 weeks ago

DE tested
upvoted 1 times
  nazgul250 1 month, 2 weeks ago

Selected Answer: CE
C and E
upvoted 1 times
  Ahmed_Root 2 months, 2 weeks ago

Selected Answer: C
I think C might be one of the responses because I see this sentence "Create a file policy that detects these stale public files by selecting New policy
from search" in the following link: https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters
upvoted 1 times
  jayek 2 months, 2 weeks ago
https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection#detect-and-prevent-external-sharing-of-sensitive-data
upvoted 2 times

Selected Answer: CE
https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection#detect-and-prevent-external-sharing-of-sensitive-data
C= generate alerts and trigger remediation actions (In response to external sharing of confidential files)
E= Gives defender for cloud apps access to files in your SaaS apps.
Not D= This setting would be ideal in the long run, but for the question this is just too much configuration not mentioned in the answer. Where-as
C answers it directly for the need.
See below link, Its more than just a simple "checkbox". The checkbox is only to enable the integration between DefenderCA and MIP.
https://learn.microsoft.com/en-us/defender-cloud-apps/azip-integration
upvoted 1 times
  Xyz_40 4 months, 1 week ago

the given answer is very correct
upvoted 1 times
  Abdul11 7 months ago

correct
upvoted 1 times
  homeysl 10 months, 2 weeks ago

Selected Answer: DE
tested this.
upvoted 3 times
  ubt 11 months, 1 week ago

Selected Answer: CE
You need E to turn on file Monitoring
You need C to enable the alerts and fix them
D doesn't do what is requested in the question...
upvoted 3 times
  its_me_Nat 11 months, 2 weeks ago

CE are correct. D and E are actually meant to achieve the same aim, so cannot be joint together.
this link may help:
https://docs.microsoft.com/en-us/defender-cloud-apps/file-filters
upvoted 4 times

Selected Answer: DE
Correct answer
upvoted 2 times
  ehsanhabib 11 months, 2 weeks ago

agreed
upvoted 1 times

How does the given answer "generate alerts and trigger remediation actions in response to external sharing of confidential files" without a policy?
upvoted 2 times
  ja_girl_eng 1 year, 1 month ago

Definitely DE though it seems to be called MIP and not AIP
In Defender for Cloud Apps, under the settings cog, select the Settings page under the System heading.
Under Microsoft Information Protection, select Automatically scan new files for Microsoft Information Protection sensitivity labels.
https://docs.microsoft.com/en-us/defender-cloud-apps/tutorial-dlp
upvoted 4 times
HOTSPOT -
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
  Efficia Highly Voted  1 year, 3 months ago

Policy template type: Activity Policy
Filter based on: IP address tag
Tested on the MCAS portal. When you select Activity policy only you get to filter from IP address.
upvoted 32 times

Agreeing with this answer, just tested it as well.
Activity Policy Type.

Filter: IP address> Tag >equals >Botnet
Access Policy: Does not seem to have a filter section.

Cloud Discovery Anomaly Detection Policy: Does not meet any of the options to filter here.
upvoted 6 times

its NOT Activity Policy, as per https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
anomaly-detection-policy:
Activity from suspicious IP addresses:
This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are
involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a
machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
upvoted 3 times
  MNC 5 months, 4 weeks ago

anomaly detection policy doesn't exists
upvoted 3 times

It actually does, it is called cloud discovery anomaly detection policy; but not suitable for this question as you cannot filter by any of the
mentioned filters in the question.
upvoted 2 times

Control -> Templates -> Logon from a risky IP address -> Create (activity) policy -> Activities matching any of the following -> IP address |
Category | equals | Risky.
Answer is Activity policy, IP address.
For anyone who thinks it's "Anomaly detection policy", state the exact steps please and say why the steps above are wrong.
upvoted 13 times
  vijeet 11 months, 2 weeks ago

Activity from suspicious IP addresses
machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization
upvoted 1 times
  guneskursad Most Recent  1 week ago

Question in Exam today. 12-02-23. Answer is = activity policy, ip address tag
upvoted 2 times
  altecer 1 week, 1 day ago

On exam 2-11-2023
upvoted 3 times

upvoted 5 times
  TiredofTesting 1 month, 3 weeks ago

Looks like it is leaning more for 1) Activity Policy and 2) IP address tag.
While I want to say Anomaly detection policy for the 1st answer, when I tested it in the lab, it came back with no templates under that category.
While Activity Policy came back with a bunch related to logins from risky IP, potential ransomware activity, etc.
upvoted 2 times

Activity policies in Cloud App Security are designed to detect specific types of activity in the cloud apps that are being monitored. The "Botnet
Network Activity" policy template is a pre-defined policy that is designed to detect and alert on suspicious activity from botnet networks. This
policy uses a combination of machine learning and threat intelligence to identify botnet network activity, such as attempts to compromise accounts
or access sensitive data.
"Access Policy," is a type of policy that is used to control access to specific cloud apps or resources based on specified conditions, such as the
location of the user or the type of device being used.
"Anomaly detection policy," is a type of policy that is used to detect anomalies in the activity of specific cloud apps or resources based on specified
conditions, such as the number of times a resource is accessed or the type of activity that is being performed. Neither of these options is suitable
for detecting connections to Microsoft 365 apps that originate from a botnet network.
upvoted 5 times

https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy it is anomaly detection policy and the other "suspicious ip
address" actually which is not here. but you can find the response in the link.
"
Activity from suspicious IP addresses:
These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account...
"
upvoted 1 times

I'm really confused on this one
For anomaly detections says "such as mis-tagged IP addresses" so it doesn't use IPs tagged as malicious, and the filter used according to scenario
in filter can only be IP address tag.
If we were to choose anomaly detections, the filter should be source, as it originates from a botnet.
Activity from suspicious IP addresses

machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
upvoted 1 times
https://docs.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies
upvoted 3 times

yes this link is helpful also this one https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
it is clear that the first response is "anomaly detection policy" but there is not "ip add tag" filter in it" there is "risky ip address" and such filters.
upvoted 2 times
  de_cs_bacsi 5 months, 3 weeks ago

There is an exact filter type what is needed under the creation of "Activity policy":
"Select a filter --> IP Address --> Select a filter --> Tag --> Select IP address tag --> Botnet"
And there is no "Anomaly policy" after pushing the "Create policy" button so all the Anomaly Policies are built-in and not custom ones.
Thus:
upvoted 4 times
  Whatsamattr81 6 months, 2 weeks ago

Also, when creating a policy based on the anomaly template, none of the options in the second part of the question are valid options.
upvoted 1 times

I think the answer is in the word 'custom'... The anomaly policies are just built in pols that have no actions associated. An activity policy can be used
to the same effect, IP Tag and IP Category can be used. You also need to scope the policy to M365 apps - can you do that on anomaly detection ?
upvoted 1 times
  LotusBeta 6 months, 2 weeks ago

The question says "You need to create a custom template-based policy"...only Anomaly detection policy has template with which we can create
policy. Answer "Anomaly detection policy" and "IP address tag" are correct.
upvoted 3 times
  yoton 1 month ago

Activity Policy can also create custom templates.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#review-
logon-attempts-after-receipt-of-malicious-emails
upvoted 1 times
  Joshing 7 months ago

The correct answer has to be the following.

Reason being that you cannot create an anomaly detection policy as it's a built-in policy. Also, you cannot filter the policy based on IP address tags
either. Activity Policy and IP address tag has to be the correct selection.
If it asked for you to ensure that activity from Botnets were alerted on and it was to be filtered for specific users then yes this policy could be edited
to suit that but currently as it stands you cannot create this policy or filter by IP tags.
upvoted 5 times
  Funnyreaction 9 months ago

Policy Template type: Activity Policy
Filter Based on: IP address tag (in MCAS if you select IP address and follow the Tag it will give you the option to select botnet)
upvoted 1 times
  ikmb 10 months, 1 week ago

It's Anomaly detection policies - precisely Activity from suspicious IP addresses
https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
upvoted 2 times
Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi-factor authentication (MFA).
You need to enforce MFA for all users who work remotely.
What should you include in the solution?
A. a fraud alert
B. a user risk policy
C. a named location
D. a sign-in user policy
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

C (100%)
  Startkabels Highly Voted  1 year, 4 months ago

Named location so you can enforce MFA except for the named location, thus forcing it for everyone who works remotely
upvoted 14 times
  Efficia Highly Voted  1 year, 3 months ago

Selected Answer: C
Named locations can be defined by IPv4/IPv6 address ranges or by countries.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#named-locations
upvoted 10 times
  guneskursad Most Recent  1 week ago

Question in Exam today. 12-02-23
upvoted 1 times

On exam 2-11-2023
upvoted 1 times

upvoted 3 times
  UmarCyber 1 week, 3 days ago

That's Great!
upvoted 1 times
  Sango 7 months ago

The key here is "all users who work remotely." Only a named location can be used to define a CA rule to allow MFA for everyone except a trusted
location like the office's internal IP ranges.
upvoted 2 times
  xbonex99 7 months ago

C with New reference
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa
upvoted 2 times

Selected Answer: C
Best choice
upvoted 3 times
  casti 1 year, 1 month ago

Selected Answer: C
Correct
upvoted 3 times

correct
upvoted 2 times
  Eltooth 1 year, 4 months ago

Correct - named location.
upvoted 2 times

You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
A. Configure automatic data enrichment.
B. Add the IP addresses to the corporate address range category.
C. Increase the sensitivity level of the impossible travel anomaly detection policy.
D. Add the IP addresses to the other address range category and add a tag.
E. Create an activity policy that has an exclusion for the IP addresses.
Correct Answer: AD

AB (84%) Other
  JohnAvlakiotis Highly Voted  1 year, 4 months ago

This answer looks wrong and since there is no reference link to support it I challenge it. To me the correct answer is B,E.
upvoted 25 times

Apologies, the answer provided is correct. I just know checked the site myself and the options exist, you add the IP address range and a tag and
then you check to override the data enrichment by providing a location that goes along with that IP range.
So, A & D stand correct.

upvoted 36 times
  Neela 11 months ago

https://docs.microsoft.com/en-us/defender-cloud-apps/api-data-enrichment
upvoted 6 times

For me also BE
add Ip to corporate or exclude IP address from alert
upvoted 4 times

I echo your thoughts, I can get a few hints to support your answer at below location:
https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
upvoted 2 times

At least B makes sense as the question reads a custom policy based on a custom IP range is in place. So false positive alerts that are
generated by activity from the offices would be solved by adding their IP ranges in the custom IP range used in the policy..
upvoted 3 times

https://docs.microsoft.com/en-us/cloud-app-security/ip-tags
upvoted 3 times

Selected Answer: AB
A - this seems correct, as if you override the automatic detection of location for company IP address ranges, you can prevent the impossible travel
alerts.
B - This makes sense as you need to define your corporate address ranges so that they are not seen as risky.
C - Increasing the sensitivity of the impossible travel detection would create more alerts.
D - Why would you set the IP addresses to the "Other" category when there is a "Corporate" category that fits the description?
E - Creating a new policy when there is already an existing one that you need to reduce the alerts from, would not reduce the number of alerts.
upvoted 17 times

Best answer IMHO. Stop (it says configure, it should say untick) the enrichment (for the impossible travel) add the addresses of your US offices,
part of your company, to the corporate range.
upvoted 2 times
  exmITQS Most Recent  3 days, 1 hour ago

The two actions to prevent alerts for legitimate sign-ins from known locations in Microsoft Cloud App Security are:
B. Add the IP addresses to the corporate address range category.

E. Create an activity policy that has an exclusion for the IP addresses.
Explanation:
B. By adding the IP addresses to the corporate address range category, you are indicating that these addresses are trusted and belong to your
organization. This will prevent alerts from being generated for legitimate sign-ins from these IP addresses.
E. By creating an activity policy that has an exclusion for the IP addresses, you can further customize the alerts and specify that you don't want to
receive alerts for sign-ins from the trusted IP addresses. This will reduce the number of alerts that you receive and ensure that you are only notified
when there is a real security threat
upvoted 1 times

Selected Answer: AB
Seems like A and B are most appropriate.
upvoted 3 times

Seems like A & D are correct based on:
https://learn.microsoft.com/en-us/defender-cloud-apps/ip-tags
https://learn.microsoft.com/en-us/defender-cloud-apps/api-data-enrichment
upvoted 1 times

Apologies seems like A, B make more sense.
upvoted 2 times
  AzureExpertwannabe 3 weeks, 1 day ago

Selected Answer: AB
upvoted 1 times
  smudo1965 3 weeks, 6 days ago

At least B is correct taking into account MS documentation "Built-in IP address tags and custom IP tags are considered hierarchically. Custom IP
tags take precedence over built-in IP tags. For instance, if an IP address is tagged as Risky based on threat intelligence but there's a custom IP tag
that identifies it as Corporate, the custom category and tags take precedence."
upvoted 1 times
  B3nj4m1n 1 month, 3 weeks ago

A a D since you need to use the VPN category since corporate is not excluding the IP in the rule
upvoted 1 times

Selected Answer: AB
Although I will go for AB...
Here is a summary of my thoughts:

To prevent alerts for legitimate sign-ins from known locations, you should perform the following actions:
B. Add the IP addresses to the corporate address range category. This will ensure that sign-ins from these IP addresses are not flagged as
suspicious.
E. Create an activity policy that has an exclusion for the IP addresses. This will allow you to exclude sign-ins from these IP addresses from being
flagged as anomalous or risky.
upvoted 1 times
  John0153 3 months, 2 weeks ago

Selected Answer: AD
A and D is correct because of this statement "You need to prevent alerts for legitimate sign-ins from known locations." it's not a bespoke company
ONLY IP's
upvoted 2 times

Selected Answer: AB
Answer is A & D. Just tested this on portal.cloudappsecurity.com.
1) Top right corner Gear Icon.

2) Menu topic: DATA ENRICHMENT

3) Click on IP address ranges
4) Click on +Add IP address range
Answer B below
5) Config boxes: Name, Ip address ranges(Add US based IP addresses), Category(Select Corporate), Tags
Answer A below
5.1) Override automatic data enrichment: [] Override registered ISP, [] Override location(check and select United States.)
Corporate Tag: These IPs should be all the public IP addresses of your internal network, your branch offices, and your Wi-Fi roaming addresses.
upvoted 3 times

Correction in first Line. Answer is A and B.
upvoted 3 times

I've seen variations of this question where option A is "Override automatic data enrichment" - which would make it a correct option. You've
discovered they are legitimate sign ins so basically you need to whitelist the PIP they are coming from and override what MCAS currently thinks
they are A and D
upvoted 1 times
  natxu 9 months, 1 week ago

Selected Answer: BE
answer provided seems wrong to me...
upvoted 1 times
  Davidf 10 months, 2 weeks ago

Selected Answer: AB
Can't be C, would give us more alerts. Can't be D, as B is correct (corporate IPs), can't be E as that makes no sense, so AB it is.
upvoted 6 times

Selected Answer: AB
should be AB
upvoted 4 times
  Ken88 11 months, 2 weeks ago

Selected Answer: AB
https://docs.microsoft.com/en-us/defender-cloud-apps/media/newipaddress-range.png
AB is correct answer
upvoted 5 times
  kittyaj 11 months, 3 weeks ago

Selected Answer: BE
BE for me
upvoted 3 times
Solution: You add each account as a Sensitive account.
A. Yes
B. No
Correct Answer: B
Reference:

B (100%)

On exam 2-11-2023
upvoted 1 times
  tolu_x 1 month, 2 weeks ago

answer is correct
upvoted 1 times
  saltytomato 6 months, 1 week ago

Selected Answer: B
B is the correct answer
upvoted 1 times

Selected Answer: B
Correct
upvoted 2 times
  irash1993 11 months, 4 weeks ago

Answer B is correct
upvoted 2 times
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
A. the Threat Protection Status report in Microsoft Defender for Office 365
B. the mailbox audit log in Exchange
C. the Safe Attachments file types report in Microsoft Defender for Office 365
D. the mail flow report in Exchange
Correct Answer: A
To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide

A (100%)
  us3r Highly Voted  9 months, 2 weeks ago

Selected Answer: A
A) answer refers to Threat Explorer
To determine if ZAP moved your message, you have the following options:
Number of messages: Use the Mailflow view in the Mailflow status report to see the number of ZAP-affected messages for the specified date
range.
Message details: Use Threat Explorer (and real-time detections) to filter All email events by the value ZAP for the Additional action column.
answer D (Exchange mailflow) ≠ Mailflow view in the Mailflow status report

upvoted 6 times
  vincenttoolate 7 months, 2 weeks ago

Yes, the answer D said "mail flow report in Exchange", this is not the same as "Mail Status Report" at Microsoft Defender for Office 365.
A is correct as per: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-

worldwide#threat-protection-status-report
"The report provides the count of email messages with malicious content, such as files or website addresses (URLs) that were blocked by the
anti-malware engine, zero-hour auto purge (ZAP), and Defender for Office 365 features like Safe Links, Safe Attachments, and impersonation
protection features in anti-phishing policies."
upvoted 3 times
  Anko6116 Most Recent  1 week, 1 day ago

Selected Answer: A
Correct seems to be A based on provided article. Section: How to see if ZAP moved your message.
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide
B - does not make sense to check Safe Attachments when we're looking for mails.
C & D: ZAP is not logged in the Exchange mailbox audit logs as a system action.
upvoted 2 times
  Lone__Wolf 1 week ago

Yes.. The correct option to identify whether ZAP moved an email message from the mailbox of a user is the Threat Protection Status report in
Microsoft Defender for Office 365. This report provides information about the actions taken by Microsoft Defender for Office 365, including
ZAP, to protect the tenant against malicious email messages.
The zero-hour auto purge (ZAP) is not logged as a system action in the Exchange mailbox audit logs. So B is incorrect.
upvoted 1 times

To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).
So the answer is - A
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide
upvoted 2 times
Correct Answer,
Just check this https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide#how-
to-see-if-zap-moved-your-message
upvoted 1 times
  AbdulMueez 3 months, 2 weeks ago

The answer is A
upvoted 2 times

Selected Answer: A
A by process of elimination.
Not the following:

b = ZAP is not logged as system action in auditlog in exchange
c = The Safe attachment file types report has been deprecated and is now replaced by the Threat Protection Status Report.
d= The mail flow report in "Exchange". Not the "Mail Flow status Report". The mail flow reports in "Exchange" are not relevant here.
upvoted 3 times

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-worldwide#threat-
protection-status-report
upvoted 1 times

Keyword here is 'an' email message. Not how many email messages.
Number of messages: Use the Mailflow view in the Mailflow status report to see the number of ZAP-affected messages for the specified date
range.
Message details: Use Threat Explorer (and real-time detections) to filter All email events by the value ZAP for the Additional action column.
To check 'an email', use Threat Explorer first

upvoted 2 times
  prjreddit 7 months ago

Selected Answer: A
The answer is A. The mail flow report does show the flow of all mail on aggregate - so you do see the number of mails moved by ZAP - but the
questions state a mail from a specific user - that you see in the Threat Explorer.
upvoted 2 times
  rdy4u 9 months, 4 weeks ago

To determine if ZAP moved your message, you have the following options:
• Number of messages: Use the Mailflow view in the Mailflow status report to see the number of ZAP-affected messages for the specified date
range.
• Message details: Use Threat Explorer (and real-time detections) to filter All email events by the value ZAP for the Additional action column.
D should be.,=
upvoted 3 times
  Mthaher 9 months, 4 weeks ago

it should be D the mail flow report in Exchange .
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide#how-to-see-if-zap-
moved-your-message
upvoted 4 times
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
✑ Microsoft Excel macros that download scripts from untrusted websites
✑ Users that open executable attachments in Microsoft Outlook
✑ Outlook rules and forms exploits
What should you use?
A. Microsoft Defender Antivirus
B. attack surface reduction rules in Microsoft Defender for Endpoint
C. Windows Defender Firewall
D. adaptive application control in Azure Defender
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide

B (100%)

Selected Answer: B
B: Attack Surface Reduction rules.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide
Block all Office applications from creating child processes

Block executable content from email client and webmail
upvoted 6 times
  UmarCyber Most Recent  1 week, 3 days ago

Selected Answer: B
B is the correct answer!
upvoted 1 times

Selected Answer: B
Attack Surface Reduction rules.
upvoted 2 times
You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.
What should you do to route events to the SIEM solution?
A. Create an Azure Sentinel workspace that has a Security Events connector.
B. Configure the Diagnostics settings in Azure AD to stream to an event hub.
C. Create an Azure Sentinel workspace that has an Azure Active Directory connector.
D. Configure the Diagnostics settings in Azure AD to archive to a storage account.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring

B (100%)
  rdy4u Highly Voted  9 months, 4 weeks ago

Routing logs to an Azure event hub allows you to integrate with third-party SIEM tools like Sumologic and Splunk.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub
upvoted 6 times

Selected Answer: B
B is correct
upvoted 2 times
  Jadeitalia365 4 months, 3 weeks ago

Selected Answer: B
B is correct
upvoted 1 times

Can do with B or D depending on the SIEM... But B would likely work with all.
upvoted 1 times
  CatoFong 6 months, 4 weeks ago

Selected Answer: B
B is correct
upvoted 1 times
  giver 7 months, 1 week ago

answer is correct B
upvoted 1 times

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring#:~:text=Stream%20logs%20to,event%20hub.
upvoted 2 times
  feye2020 8 months, 1 week ago

Thanks
upvoted 1 times
DRAG DROP -
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains two users named User1 and User2.
You plan to deploy Azure Defender.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.
The solution must use the principle of least privilege.

Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than
once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: Owner -
Only the Owner can assign initiatives.
Box 2: Contributor -
Only the Contributor or the Owner can apply security recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
  Lion007 Highly Voted  8 months ago

Answer is correct, but the justification provided is not quite accurate.
User1: Owner
User2: Contributor
You can't choose 'Security Admin' because the key in the questions is 'at the subscription level'. Read the Security Admin section in the
documentation https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
At the Subscription Level, only Contributor and Owner can :

- Apply security recommendations
- Add/Assign initiatives
- Edit security policy
- Dismiss alerts
However, only the Owner can 'Enable auto provisioning'... to be the owner of the extension you're deploying. "For auto provisioning, the specific
role required depends on the extension you're deploying." Check the section under the roles table https://docs.microsoft.com/en-
us/azure/defender-for-cloud/permissions
All roles can 'view' alerts and recommendations.

upvoted 23 times
  Tanasi 5 months ago

This guy is correct. Details here:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-loganalytic#availability
upvoted 2 times
  j888 Highly Voted  10 months ago

Wouldn't this be contributors for both?
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 16 times

Sorry i was wrong to upvote this answer, the right answer is Owner and then Contributor.
upvoted 3 times
  Tohar 1 month, 3 weeks ago

That's correct. Because only Owner can ASSIGN Initiatives at the subscription level.
upvoted 1 times
  UmarCyber Most Recent  1 week, 3 days ago

At subscription level only owner can 'Add/assign initiatives (including) regulatory compliance standards)'. Answer is correct.
upvoted 2 times
  Matshedy 1 week, 6 days ago

Correct answer:
User 1: contributor
User 2: contributor
upvoted 1 times
  zafara55 2 months, 2 weeks ago

Apology. Security Administrator is not correct for user 1. It's not applied at the subscription level.
upvoted 1 times
  zafara55 2 months, 2 weeks ago

Security Administrator is also correct for user 1.
Security Admin can Add/assign initiatives (including) regulatory compliance standards)
upvoted 1 times
  Snaileyes 4 months, 2 weeks ago

At the given reference URL… Contributor can also assign initiatives… So… Contributor for both!
upvoted 1 times
  Reyrain 2 months, 3 weeks ago

no, it is quite clear that is not the case from the (above) linked article.
upvoted 1 times

The solution must use the principle of least privilege....
contributor priviledge is lower than owner I suppose, if so the first one why don't select contributor ?
upvoted 1 times

Solution is correct.
Owner and Contributor are required. If you enable Auto Provisioning, there are resources that require you to be Owner on that subscription.
Details here:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-loganalytic#availability
upvoted 3 times
  Tanasi 5 months, 1 week ago
Contributor on subscription role for both. Remember that big difference between Contributor and Owner is that Owner also has access to modify
RBAC (which is not required here, and will not adhere to Principle of Least Privilege)
upvoted 3 times
  Stiobhan 5 months, 4 weeks ago

Right answer is contributor for both:
Action Security Reader /
Reader Security Admin Contributor / Owner Contributor Owner
(Resource group level) (Subscription level) (Subscription level)
Add/assign initiatives (including) regulatory compliance standards) - - - ✔ ✔
It's right there in the link. Remember, it asking at the subscription level.
upvoted 3 times
  bluegeek 6 months ago

Given answer is correct. Key part is "at the subscription level"
Security admin only has access in Defender for cloud and not other Azure services
upvoted 2 times

For auto provisioning, the specific role required depends on the extension you're deploying. Half the available extensions require owner...
upvoted 2 times
  Rading 6 months, 2 weeks ago

it should be both "contributor". for the reason that it should be in "subscription level" and "least privilege" condition.
upvoted 3 times
  thinkingface 6 months, 3 weeks ago

Currently studying and I looked at the link provided on this : https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions . The two
should both be contributor I think because at the SUBSCRIPTION level, both would need to be contributor here for the listed permissions.
upvoted 4 times

the question is asking for roles at the subscription level. Both User 1 and User 2 need contributor
upvoted 2 times
  thesisemenu 8 months ago

The correct answer should be
User1: Contributor
in the question we need "least privilege"
User2: Contributor
in the question it's indicate "Subscription level" security admin is not on subscription level. you can refer to this link
upvoted 9 times

The first one is VERY wrong.
The question states at the start that this is at the subscription level. Thus, the contributor role cannot Add/assign initiatives (including)
regulatory compliance standards)
upvoted 1 times
HOTSPOT -
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The
solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Turn on Live Response -

Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do
in-depth investigative work and take immediate response actions.
Box: 2 -
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide
  Lion007 Highly Voted  8 months ago

The first answer is correct, but the second answer is wrong.
The network assessment job has nothing to do with the question. It is a feature to scan networks and discover network devices for vulnerability
management. The correct answer should be "Automation in Full mode", because it is the only correct answer since the last provided answer is to
set Automation to "Not automated" which is not correct as per Microsoft docs on Live Response, check it out here "Ensure that the device has an
Automation Remediation level assigned to it." https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?
view=o365-worldwide
upvoted 23 times

Lion007 is correct. Turn on Live Response >> Automation level to Full
upvoted 6 times
  urisoft 1 month, 1 week ago

I subscribe to the above: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automation-levels?view=o365-
worldwide#levels-of-automation
upvoted 1 times

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide
Ensure that the device has an Automation Remediation level assigned to it.
You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response
session to a member of that group.
upvoted 11 times
  doch Most Recent  2 weeks, 4 days ago
1. Turn On Live Response
2. Automation Level should be full. Ensure that the device has an Automation Remediation level assigned to it. https://learn.microsoft.com/en-
us/microsoft-365/security/defender-endpoint/live-response?source=recommendations&view=o365-worldwide
upvoted 2 times

Second need to be full. Whole concept of REMEDIATION during live connect is based on Remediation assigned. If its off, then Live connect wont
start.
upvoted 3 times
  DumbBobJohnson 9 months, 4 weeks ago

The second answer should be the last one. It has to have a minimum Remediation level
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide
upvoted 4 times
  vincenttoolate 8 months, 1 week ago

no, the last one is "no automated response", which means "no automation".
"Create a device group that contains the devices and set Automation level to full" is the only answer have automation remediation enabled.
upvoted 2 times
  avr 7 months, 3 weeks ago

it says "no automated response" but still is a Remediation Level and the question says "least privileges" so, the second answer should be the
last one
upvoted 1 times
  abdulwaheed525 10 months ago

The second answer for the creation of a network assessment job is confusing. Could someone explain?
upvoted 1 times
  StaxJaxson 9 months, 1 week ago

Its a red herring - its wrong - nothing to do with AIR/LR.
upvoted 2 times
HOTSPOT -
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
Hot Area:
Correct Answer:
Box 1: join -
An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists
the alerts that have been triggered on those devices.
DeviceInfo -
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category

DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"
Box 2: project -
Reference:
  Apocalypse03 Highly Voted  2 months ago

Correct: join & project
Filtering the DeviceInfo table to only include rows where the LoggedOnUsers field contains the string "user1".
Removing duplicates based on the DeviceId field.
Joining the resulting set of devices with the AlertEvidence table based on the DeviceId field.
Projecting the AlertId field from the resulting set.
Joining the resulting set of alerts with the AlertInfo table based on the AlertId field.
Projecting the AlertId, Timestamp, Title, Severity, and Category fields from the resulting set of alerts.
This query retrieves a list of alerts that are related to devices where the user "user1" is logged on, and it includes the alert ID, timestamp, title,
severity, and category for each alert. The "join" and "project" operations in the query are used to combine and filter the data from the various
tables in the ATP data model.
upvoted 5 times

Correct!
upvoted 1 times

Correct, join & project
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#get-device-
information
upvoted 3 times
  User_Mowgli 4 months ago

Correct. Join and project respectively.
upvoted 2 times
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their
accounts were deleted.
A. a file policy in Microsoft Defender for Cloud Apps
B. an access review policy
C. an alert policy in Microsoft Defender for Office 365
D. an insider risk policy
Correct Answer: C
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level
for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered.
Default alert policies include:
Unusual external user file activity - Generates an alert when an unusually large number of activities are performed on files in SharePoint or
OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy
has a High severity setting.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies

D (100%)
  espnadmin Highly Voted  5 months, 3 weeks ago

D. an insider risk policy
upvoted 12 times
  RafaAbel 5 months, 3 weeks ago

I agree due to the context, this guy was leaving the company then being monitored by insider risk policy
upvoted 2 times

Selected Answer: D
D: Insider risk policy.
Data theft by departing users:
https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-
users
When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template
uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area.
upvoted 9 times
  exmITQS Most Recent  3 days, 1 hour ago

Selected Answer: D
To be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were
deleted, you should use an insider risk policy.
Insider risk policies in Microsoft 365 can monitor user activity across different services, including SharePoint Online, to detect potential insider risks
such as data leaks or theft. You can configure an insider risk policy to trigger an alert when certain user activity matches a defined risk level or
condition, such as downloading a large number of documents.
upvoted 1 times
  hamedhy 1 week, 2 days ago

It seems that user account is already deleted and just remain for 30 days in case of restore! I think it's tricky to got the account is NOT usable
anymore and user will be count as an external anyway. I hope that I'm right hehe!
upvoted 1 times
  khrid4 2 weeks, 3 days ago

Data theft by departing users
Collection: Detects download activities by in-scope policy users. Example risk management activities include downloading files from SharePoint
sites or moving files into a compressed folder.
https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-
users
upvoted 2 times
  Lokmane14 2 months, 3 weeks ago
Selected Answer: D
D seems to be correct, insider risk policy suits to this question.
upvoted 3 times

An alert policy from the endpoint is the right Answer.
So C is correct.
upvoted 1 times
  vannear 3 months, 2 weeks ago

Selected Answer: D
My first day on my first job was to review the trainning session from Micrsoft, they highlighted this "Insider Risk"feature several times, the correct
answer defenitely is D.
upvoted 3 times
  yongda 3 months, 2 weeks ago

D & C are both reasonable answers. However, the question did not state that the deleted user is leaving the organization. Therefore, for this
question C might be the 'better' answer
upvoted 2 times

Should the word "before" be changed for "after"?
upvoted 1 times
  Pandaguo 4 months, 1 week ago

C is right.
Unusual external user file activity
Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your
organization. This includes activities such as accessing files, downloading files, and deleting files.
upvoted 1 times
  natxu 4 months, 2 weeks ago

Selected Answer: D
You need an Insider Risk Management policy based in Employee Departures.
upvoted 2 times
  Anonymousse 5 months ago

https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-configure?view=o365-worldwide
upvoted 1 times
  Jadeitalia365 5 months ago

Selected Answer: D
Insider risk
upvoted 2 times
  Myozymm 5 months ago

correct answers is C
upvoted 3 times
  Tanasi 5 months, 1 week ago

Selected Answer: D
Insider risk
upvoted 2 times

Selected Answer: D
Insider risk is literally made for this
upvoted 1 times
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.
You need to identify all the changes made to sensitivity labels during the past seven days.
A. the Incidents blade of the Microsoft 365 Defender portal
B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center
C. Activity explorer in the Microsoft 365 compliance center
D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal
Correct Answer: C
Labeling activities are available in Activity explorer.
For example:
Sensitivity label applied -

This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.
It is captured at the time of save in Office native applications and web applications.
It is captured at the time of occurrence in Azure Information protection add-ins.
Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide

C (100%)
  celomomo 1 month, 2 weeks ago

Selected Answer: C
https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer?view=o365-worldwide
upvoted 2 times

Selected Answer: C
Activity explorer rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content.
There are over 30 different filters available for use, some are:
Date range, Activity type, Location, User, Sensitivity label, Retention label, File path, DLP policy
upvoted 3 times
  ACSC 2 months, 2 weeks ago

Now it is Microsoft Purview compliance portal
upvoted 3 times

Selected Answer: C
C: Activity Explorer in M365 Compliance center
https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-overview?view=o365-worldwide
You can find data classification in the Microsoft Purview compliance portal (or Microsoft 365 Defender portal) > Classification > Data Classification.
You also manage these features on the data classification page:
trainable classifiers
sensitive information types
Learn about exact data match based sensitive information types
content explorer
-------> activity explorer
https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer?view=o365-worldwide
upvoted 2 times
  PatWafy 4 months, 2 weeks ago

C : est la bonne réponse
upvoted 2 times

Tres bien
upvoted 1 times
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A. Investigations
B. Devices
C. Evidence and Response
D. Alerts
Correct Answer: C
The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.
Incorrect:
* The Investigations tab lists all the automated investigations triggered by alerts in this incident. Automated investigations will perform
remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender
for Endpoint and Defender for Office 365.
* Devices
The Devices tab lists all the devices related to the incident.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents

C (70%) D (30%)
  Pointless Highly Voted  4 months, 1 week ago

Correct Answer - C, Evidence and Response.
Question emphasizes on 'incident'. Though you can view affected entities by clicking on Alerts tab > Alert list, it will be for that particular alert one
alert doesn't necessarily be an incident. An incident can have multiple alerts. So you need to click on Incidents tab, open the Incident, go to
Evidences and Response tab and look there.
upvoted 9 times
  Nickname01 4 months, 1 week ago

Correct answer is indeed C: wheb you click on an incident it will open the Summary tab, on the summery tab you can see the overview of
evidence with a option to view all entities, this will bring you to "Evidence and Response".
upvoted 3 times

Selected Answer: C
The "Evidence and Response" tab in the Microsoft 365 Defender portal can be used to identify all the entities affected by an incident. In the
"Evidence and Response" tab, you can access information about the scope of the incident and the entities that were affected. This information can
help you understand the extent of the incident and determine the necessary steps to respond to it.
upvoted 3 times

Selected Answer: C
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
upvoted 1 times
  Locian 1 month, 1 week ago

Selected Answer: C
C is the correct answer
upvoted 1 times

https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
upvoted 3 times

Answer is correct as C
upvoted 3 times
  SuperGraham 2 months ago

Selected Answer: C
C - Evidence and Response
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents#evidence-and-response
The description even says 'Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the
alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more.'
upvoted 2 times
  TheNickname 2 months ago

Selected Answer: C
upvoted 2 times
  TheNickname 2 months ago

upvoted 1 times

Selected Answer: C
To identify all the entities affected by an incident in the Microsoft 365 Defender portal, you should use the Evidence and Response tab.
The Evidence and Response tab in the Microsoft 365 Defender portal provides a detailed view of an incident, including information about the
affected entities. When you select an incident in the Investigations tab, the Evidence and Response tab will display information about the affected
users, devices, applications, and other entities. You can use this information to understand the scope of the incident and to determine which
entities may have been compromised or affected by the incident.
The Devices, Alerts, and Investigations tabs may also contain information about affected entities, but the Evidence and Response tab provides the
most comprehensive view of the entities involved in an incident.
upvoted 3 times

Selected Answer: D
On the Alerts tab, you can view the alert queue for alerts related to the incident and other information about them such as:
Severity,
The entities that were involved in the alert.
...
upvoted 1 times

Selected Answer: D
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide#alerts
upvoted 1 times
  passA900 3 months, 1 week ago

Selected Answer: D
You need to identify all the entities (of your organization?) affected by an incident. then D
You need to identify all the (suspicious) entities affected by an incident. then C
upvoted 2 times

I'm sorry the second line should be:
You need to identify all the (suspicious) entities in the incident. then C
upvoted 1 times
  Creature 3 months, 3 weeks ago

Selected Answer: C
When I view and incident in my tenant, C seems like the appropriate answer.
upvoted 2 times

Selected Answer: C
Question Keywords: "...identify all the entities AFFECTED BY AN INCIDENT."
Answer: C Evidence and response.
"The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident."
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide#evidence-and-response
upvoted 4 times
  natxu 4 months, 1 week ago
Selected Answer: C
You can find all affected entities under Evidence and Response.
upvoted 2 times
  MiKeDee 4 months, 2 weeks ago

Selected Answer: D
I am going with D as per https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
upvoted 1 times
  nsasomsub 4 months, 2 weeks ago

i don't see Evidence and Response tab so the answer is D ir if there is Incident tab
upvoted 2 times
You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.
You need to identify all the changes made to Domain Admins group during the past 30 days.
A. the Modifications of sensitive groups report in Microsoft Defender for Identity
B. the identity security posture assessment in Microsoft Defender for Cloud Apps
C. the Azure Active Directory Provisioning Analysis workbook
D. the Overview settings of Insider risk management
Correct Answer: A

A (100%)

Selected Answer: A
A. The Modifications of sensitive groups report in Microsoft Defender for Identity would be the best option to use to identify all the changes made
to the Domain Admins group during the past 30 days. This report provides information about changes made to sensitive groups, including the
Domain Admins group, in the Azure AD environment and helps to identify potential security threats.
upvoted 2 times

Selected Answer: A
Can confirm it's A. |> Reports |> Modifications to sensitive groups
upvoted 4 times

Thanks for confirming buddy!
upvoted 2 times
You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have
aggregated alerts configured.
You need to identify the impacted entities in an aggregated alert.
What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?
A. the Events tab of the alert
B. the Sensitive Info Types tab of the alert
C. Management log
D. the Details tab of the alert
Correct Answer: C

A (84%) D (16%)
  Wutan Highly Voted  1 month ago

Selected Answer: A
The correct answer is A.
More on: https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alerts-policies?view=o365-worldwide
upvoted 7 times
  eddz25 Highly Voted  1 month ago

Selected Answer: A
In order to identify the impacted entities in an aggregated alert, you should review the "Events" tab of the DLP alert management dashboard in the
Microsoft 365 compliance center. This tab will display a list of all the events that triggered the alert, including the specific entities (e.g. files, emails,
etc.) that were affected. You can further investigate each event to identify the specific user, device and action that caused the alert to be triggered.
upvoted 6 times
  Dewonnaluv Most Recent  6 days, 5 hours ago

Management log is only chosen to see the history of workflow management. Hence Option C is incorrect. A is the correct answer.
upvoted 1 times

Selected Answer: A
The Events tab of the DLP alert management dashboard in the Microsoft 365 compliance center provides a comprehensive view of the entities that
have been impacted by the aggregated alert. This tab provides information about the number of entities affected, the type of entities affected, the
users or devices that caused the DLP violation, and other relevant details about the alert. By reviewing the Events tab, you can quickly determine
the extent of the impact of the alert and take appropriate actions to mitigate the impact.
upvoted 2 times

Selected Answer: A
According to below article Event details and Impacted Entities can be found under Events tab.
https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alerts-policies?view=o365-worldwide
upvoted 2 times
  ExamTopicsTST 4 weeks, 1 day ago

Selected Answer: A
The correct answer is A.
upvoted 4 times

It is A.
https://youtu.be/FW1pIwDLVHY?t=112
upvoted 3 times
  Armpenu 1 month ago

Selected Answer: D
Impacted entities are found under details
upvoted 4 times
You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription.
From the Microsoft 365 Defender portal, which page should you use to create the query?
A. Threat analytics
B. Advanced Hunting
C. Explorer
D. Policies & rules
Correct Answer: B

B (100%)
  ACSC 3 weeks, 4 days ago

Selected Answer: B
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-modes?view=o365-worldwide#get-started-with-guided-
hunting-mode
upvoted 2 times

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide
"Use Advance mode if you're comfortable creating custom queries."
Answer is B
upvoted 4 times
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative
effort.
What should you do in the Microsoft 365 Defender portal?
A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.
C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.
D. Select Add indicator and set the IP address to 171.23.34.32/27.
Correct Answer: A

A (100%)
  Valunchai 1 day, 4 hours ago

Selected Answer: A
Test on lab
upvoted 1 times
You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block a user-specified range of IP addressed and URLs.
What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal?
A. custom network indicators
B. live response for servers
C. endpoint detection and response (EDR) in block mode
D. web content filtering
Correct Answer: A

A (100%)
  Valunchai 1 day, 4 hours ago

Selected Answer: A
Correct answer. (A)
upvoted 1 times
DRAG DROP
-
You have an Azure subscription that contains the users shown in the following table.
You need to delegate the following tasks:
• Enable Microsoft Defender for Servers on virtual machines.

• Review security recommendations and enable server vulnerability scans.
Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
Currently there are no comments in this discussion, be the first to comment!
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the
following requirements:
• Only show emails sent during the last hour.

• Optimize query performance.
Correct Answer:
Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
You need remediate the security risk.
What should you do?
A. Disable legacy protocols on the computers listed as exposed entities.
B. Enforce LDAP signing on the computers listed as exposed entities.
C. Modify the properties of the computer objects listed as exposed entities.
D. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.
Correct Answer: C
Currently there are no comments in this discussion, be the first to comment!
A remediation action for an automated investigation quarantines a file across multiple devices.
You need to mark the file as safe and remove the file from quarantine on the devices.
What should you use in the Microsoft 365 Defender portal?
A. From the History tab in the Action center, revert the actions.
B. From the investigation page, review the AIR processes.
C. From Quarantine from the Review page, modify the rules.
D. From Threat tracker, review the queries.
Correct Answer: A
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must
minimize administrative effort.
Which blade should you use in the Microsoft 365 Defender portal?
A. Advanced hunting
B. Threat analytics
C. Incidents & alerts
D. Learning hub
Correct Answer: B
Question #1 Topic 2
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.
A. Yes
B. No
Correct Answer: B
You need to resolve the existing alert, not prevent future alerts. Therefore, you need to select the 'Mitigate the threat' option.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
  examkid Highly Voted  1 year, 7 months ago

Answer is correct:
upvoted 10 times

Correct
upvoted 5 times
  alexb1 Most Recent  1 week, 4 days ago

Just a FYI Security Center is now called Defender for Cloud ( as far as I can tell ). There's also a Security Center under Azure -> Security but it
doesn't seem to be the one referred to in this question.
upvoted 2 times

Selected Answer: B
Answer is (B) No, because the question is asking for recommendations on the current alert that you are viewing(Mitigate the threat) and not on
security recommendations in general(Prevent Future attacks) for the device associated with the alert..
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts
(Mitigate the threat) - provides manual remediation steps for this security alert (Provides recommendations on what to do to resolve the alert)
(Prevent future attacks) - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks.(Provides recommendations for security in general such as Remediate Vulnerabilities and win defender should be activated on all devices)
upvoted 4 times

Correct
Mitigate the threat - provides manual remediation steps for this security alert
Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts
upvoted 1 times

B is correct:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-incident
upvoted 1 times
  vnez 6 months, 1 week ago

Answer should be A - On the Security Alert > Take Action > Prevent future attacks -- this will give you a list of active security recommendations on
the affected resource
* Mitigate the threat - provides manual remediation steps for this security alert
* Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks
upvoted 2 times
  MiKeDee 8 months ago
Selected Answer: B
According to https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts Yes stands for "Prevent future attacks -
provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks". This answer does
not provide remediation steps, it provides attack surface reduction steps.
upvoted 1 times
  PhyMac 8 months, 3 weeks ago

I think the answer is A.
I checked the URL from examkid, and the link said as followings;
Take action tab. Use this tab to take further actions regarding the security alert. Actions such as:[...]
attacks
The goal is to "You need to view recommendations" anyway.

So, I thought the answer is A.
upvoted 2 times
  ModsGods 1 year, 4 months ago

Reference isn't working anymore. See the comment from @examkid for further learning pages.
upvoted 5 times
Question #2 Topic 2
You receive an alert from Azure Defender for Key Vault.

You discover that the alert is generated from multiple suspicious IP addresses.
You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as
possible and must minimize the impact on legitimate users.
What should you do first?
A. Modify the access control settings for the key vault.
B. Enable the Key Vault firewall.
C. Create an application security group.
D. Modify the access policy for the key vault.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-usage

The given answer is correct. You create firewall rules and adds trusted range to ensure Key Vault can only be accessed from those trusted IP
addresses while you are doing investigation.
upvoted 22 times

Think of access policies as management of users / accounts with their restrictive permissions.
Think of the firewall as managment of networks, cidrs, ips based type resources.
upvoted 4 times
  ubt 4 months ago

Shouldn't the firewall already be turned on? There fore why would a solution be to Turn the Firewall on??? This can't be the correct answer
upvoted 1 times
  ture 1 year, 6 months ago

Yes! It makes sense. Good strategy
upvoted 2 times
  cw3364903 Highly Voted  7 months, 2 weeks ago

Selected Answer: B
B is the best answer possible here...why was the firewall not on in the first place ha!
upvoted 6 times
  Metasploit Most Recent  3 months, 4 weeks ago

Selected Answer: B
According to reference the answer is correct: B Enable Key Vault Firewall.
If the traffic came from an unrecognized IP Address:

Enable the Azure Key Vault firewall as described in Configure Azure Key Vault firewalls and virtual networks. Configure the firewall with trusted
resources and virtual networks.
If the source of the alert was an unauthorized application or suspicious user:

Open the key vault's access policy settings. Remove the corresponding security principal, or restrict the operations the security principal can
perform.
If the source of the alert has an Azure Active Directory role in your tenant:
Contact your administrator.
Determine whether there's a need to reduce or revoke Azure Active Directory permissions.
upvoted 3 times

Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
Best answer
upvoted 2 times

Selected Answer: B
Correct answer IMO.
upvoted 1 times

Given answer was correct
upvoted 1 times
Question #3 Topic 2
HOTSPOT -
You have an Azure subscription that has Azure Defender enabled for all supported resource types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Azure Security Center.
You need to test LA1 in Security Center.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation#create-a-logic-app-and-define-when-it-should-automatically-run
  Banzaaai Highly Voted  1 year ago

passed exam 31-Jan-2022, and answer Workflow Automation was not on exam...
so.. I have chosen : Security Alerts
upvoted 14 times
  Tracebuster 1 year ago

This is why I would go with Recommendation as the 2nd answer option
https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/securitynestedrecommendation
upvoted 8 times

Automate responses to Microsoft Defender for Cloud triggers using workflow automation - the trigger conditions selected is “Security alert”
https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation
upvoted 2 times
  Lion007 8 months ago

Agreeing with this answer, and add to it that you can actually find the "Trigger logic app" when you open both "Security alerts" and
"Recommendations". This is mentioned in the docs page "To manually run a Logic App, open an alert or a recommendation and click Trigger
Logic App:" https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation#manually-trigger-a-logic-app
upvoted 1 times

"security risks detected" not alerts, incidents... go with recommendations.
upvoted 2 times
  Whatsamattr81 Highly Voted  6 months, 1 week ago

"automatically remediate security risks detected" - risks is the key word, that (to me) assumes the recommendations - and not alerts (which would
be incidents). And it would be triggered on recommendations.
upvoted 8 times

upvoted 5 times

To set the trigger for the logic app to be triggered by an alert from Azure Security Center, you should select the "When an alert is generated"
trigger. This trigger will allow the logic app to be triggered when an alert is generated in Azure Security Center.
Option 1, "When an Azure Security Centre Recommendation is created or triggered," is not a valid trigger. Recommendations are suggestions for
remediation or improvement that are provided by Azure Security Center, but they do not trigger the execution of a logic app.
Option 2, "When an Azure Security Centre is created or triggered," is also not a valid trigger. Azure Security Center is a service, not an entity that
can be created or triggered.
Option 3, "When a response to an Azure Security Center alert is triggered," is also not a valid trigger. Responses to alerts are actions taken in
response to an alert, such as acknowledging or dismissing the alert. They do not trigger the execution of a logic app.
upvoted 1 times

When an Azure Security Center Recommendation is created or triggered
Recommendations
upvoted 4 times
  thinkingface 6 months, 3 weeks ago

https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation#create-a-logic-app-and-define-when-it-should-automatically-
run . if you look at the 2nd or 3rd paragraph it says Logic apps can trigger from security alerts, doesn't mention workflow automation in that
statement.
upvoted 2 times

The logic app designer supports the following Defender for Cloud triggers:
-When a Microsoft Defender for Cloud Recommendation is created or triggered

-When a Defender for Cloud Alert is created or triggered
-When a Defender for Cloud regulatory compliance assessment is created or triggered
Note:
If you are using the legacy trigger "When a response to a Microsoft Defender for Cloud alert is triggered", your logic apps will not be launched
by the Workflow Automation feature. Instead, use either of the triggers mentioned above.
upvoted 1 times

Answer is correct.
upvoted 3 times
  kornjaca 1 year, 3 months ago

There are both offered answers in the Add workflow automation creation wizard, so "When an Azure Security Center Recommendation is created
or triggered" as well as "When an Azure Security Center alert is triggered". I can't find anything in the question that would imply one or another
answer.
upvoted 3 times

I think that the answer is "When an Azure Security Center Recommendation is created or triggered" because you want to remediate RISKS, not
alerts.
upvoted 18 times

this is correct
upvoted 2 times
  karlEzio 1 year, 4 months ago

Correct
upvoted 1 times
Question #4 Topic 2
You have a Microsoft 365 subscription that uses Azure Defender.

You have 100 virtual machines in a resource group named RG1.
You assign the Security Admin roles to a new user named SecAdmin1.
You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of
least privilege.
Which role should you assign to SecAdmin1?
A. the Security Reader role for the subscription
B. the Contributor for the subscription
C. the Contributor role for RG1
D. the Owner role for RG1
Correct Answer: C
  somsom Highly Voted  1 year, 10 months ago

correct. contributors has edit, read and view access
upvoted 17 times
  Eltooth Highly Voted  1 year, 9 months ago

Agreed - Contributor rights on RG is minimum permission needed.
upvoted 9 times

Selected Answer: C
To ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender, while also following the principle of least
privilege, you should assign the Contributor role for RG1 to SecAdmin1.
The Contributor role for RG1 will allow SecAdmin1 to perform tasks such as deploying resources and modifying resource properties within RG1, but
it will not grant them access to perform administrative tasks at the subscription level. This will allow SecAdmin1 to apply quick fixes to the virtual
machines using Azure Defender, while still adhering to the principle of least privilege.
upvoted 6 times

Selected Answer: C
Best answer
upvoted 4 times

Selected Answer: C
should be C
upvoted 3 times
  Ana22 1 year ago

Selected Answer: C
Correct
upvoted 3 times

Selected Answer: C
Contributor role for RG.
upvoted 2 times

Agreed, correcr answer
upvoted 3 times
Question #5 Topic 2
You provision a Linux virtual machine in a new Azure subscription.

You enable Azure Defender and onboard the virtual machine to Azure Defender.
You need to verify that an attack on the virtual machine triggers an alert in Azure Defender.
Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution.
A. cp /bin/echo ./asc_alerttest_662jfi039n
B. ./alerttest testing eicar pipe
C. cp /bin/echo ./alerttest
D. ./asc_alerttest_662jfi039n testing eicar pipe
Correct Answer: AD
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation#simulate-alerts-on-your-azure-vms-linux-

correct
upvoted 15 times
  AlaReAla Highly Voted  1 year, 4 months ago

Why is it so important to copy the file ONLY as "asc_alerttest_662jfi039n". Please consider that I am a newbie in securities, and help guide me,
thanks.
upvoted 6 times

any legal file name can be used
upvoted 1 times
  03allen 1 month, 2 weeks ago

seems not right as BC's only difference is the file name
upvoted 2 times
  CatoFong Most Recent  6 months, 4 weeks ago

Selected Answer: AD
correct
upvoted 1 times
  feln 11 months ago

Selected Answer: AD
correct
upvoted 1 times

Selected Answer: AD
Given answers are correct
upvoted 2 times

Selected Answer: AD
correct
upvoted 1 times
  iov 11 months, 2 weeks ago

correct
upvoted 1 times

Selected Answer: AD
AD is correct I'd say.
upvoted 1 times
  oberte007 1 year, 7 months ago

Right answer
upvoted 1 times
Correct answer
upvoted 1 times
  ablackwood 1 year, 8 months ago

Correct, the renaming of the .exe is referenced directly in the documentation - https://docs.microsoft.com/en-us/azure/security-center/security-
center-alert-validation#simulate-alerts-on-your-azure-vms-linux-
upvoted 4 times
  malabar933 1 year, 9 months ago

upvoted 3 times
Question #6 Topic 2
You create an Azure subscription named sub1.

In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to collect security event logs from the Azure virtual machines that report to workspace1.
What should you do?
A. From Security Center, enable data collection
B. In sub1, register a provider.
C. From Security Center, create a Workflow automation.
D. In workspace1, create a workbook.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Selected Answer: A
Data collection
Store additional raw data - Windows security events
To help audit, investigate, and analyze threats, you can collect raw events, logs, and additional security data and save it to your Log Analytics
workspace.
upvoted 9 times
  Nickname01 4 months, 1 week ago

Answer A is correct: you go to your Log analytics workspace -> agent management -> Data collection rules, here you would create a new rule
and add the Windows Event logs and select the security logs.
upvoted 4 times
  feln Most Recent  11 months ago

Selected Answer: A
correct
upvoted 1 times

Selected Answer: A
Best answer
upvoted 2 times
  zole 1 year, 2 months ago

uuuuuuuuuuuuuuuuuuuuu
upvoted 1 times
  somsom 1 year, 5 months ago

correct
upvoted 4 times
Question #7 Topic 2
DRAG DROP -
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to configure Azure Security Center to detect possible threats related to sign-ins from suspicious IP addresses to Azure virtual machines.
The solution must validate the configuration.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation

True. Correct answer given
upvoted 11 times
  cs4vEr Highly Voted  1 year, 9 months ago

https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation#simulate-alerts-on-your-azure-vms-linux- is not related to
suspicious login BTW, the answer is the only one possible
upvoted 8 times
  ubt Most Recent  4 months ago

OMG... was pulling my hair out as none of these except enable MS Defender seemed related to the question.. typical MS questions
upvoted 6 times
  Lone__Wolf 1 week, 1 day ago
Same here!
upvoted 1 times

correct
upvoted 4 times
Question #8 Topic 2
Your company uses Azure Security Center and Azure Defender.
The security operations team at the company informs you that it does NOT receive email notifications for security alerts.
What should you configure in Security Center to enable the email notifications?
A. Security solutions
B. Security policy
C. Pricing & settings
D. Security alerts
E. Azure Defender
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
  powerjoev2 Highly Voted  1 year, 2 months ago

Outdated it should be in the "Environment Settings" -> "Email notifications"
upvoted 36 times

This configuration can be found at Microsoft Defender for Cloud Apps now??
upvoted 2 times

Selected Answer: C
Environment settings -> click subscription -> Email notifications
upvoted 12 times
  TiredofTesting Most Recent  1 month, 3 weeks ago

Deprecated:
From Defender for Cloud's Environment settings area, select the relevant subscription, and open Email notifications.
Define the recipients for your notifications with one or both of these options:
From the dropdown list, select from the available roles.

Enter specific email addresses separated by commas. There's no limit to the number of email addresses that you can enter.
upvoted 3 times
  palito1980 1 month ago

Verified on a test tenant
upvoted 1 times

Selected Answer: C
Pricing & Settings
upvoted 1 times

Now it is Environment settings.
Have MS changed exam after recent renaming a whole Defender solutions?
upvoted 7 times

Not until Nov 4 2022
upvoted 1 times

Correct - Pricing & Settings.
upvoted 1 times

Given answer was correct.
upvoted 1 times
correct. the navigation is as follows home - security center- pricing and settings
upvoted 10 times
Question #9 Topic 2
DRAG DROP -
You have resources in Azure and Google cloud.
You need to ingest Google Cloud Platform (GCP) data into Azure Defender.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the
correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-gcp
  Yeuri Highly Voted  2 months, 2 weeks ago

No longer a valid answer, in order to do this you need to go to Microsoft Defender for cloud apps > Environment settings > add environment >
GCP
upvoted 14 times

Correct sequence.
upvoted 11 times
  Lone__Wolf Most Recent  5 days, 18 hours ago

Since this is outdated this is the new Sequence
Configure Google Cloud Platform

Create a dedicated project in GCP
Enable required APIs
Create a dedicated service account for the security auditing integration
Create a private key for the dedicated service account
Retrieve your Organization ID
Connect Google Cloud Platform auditing to Defender for Cloud Apps
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp
upvoted 2 times
  Snaileyes 3 months ago
...more specifically:
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp#how-to-connect-gcp-security-configuration-to-defender-for-cloud-
apps
upvoted 2 times

Here's a better reference for the sequence:
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp
upvoted 4 times
  hommatch380 5 months, 2 weeks ago

Reference:
https://docs.microsoft.com/ja-jp/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=classic-connector
upvoted 1 times
  hommatch380 5 months, 2 weeks ago

English is here
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=classic-connector
upvoted 3 times
  hamedhy 1 week, 2 days ago

This is the just right answer, thanks!
upvoted 1 times
  hardinxcore 6 months ago

No it’s not conflict correct anymore. Then links shows the native connection and the classic connection. This question is the classic connection and
not the native
upvoted 2 times
  vincenttoolate 8 months, 1 week ago

These answer might be outdated already. According to the doc:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp?pivots=env-settings#connect-your-gcp-project
We copy the GCP Cloud Shell script from the GCP Connector, then run it at GCP Cloud Shell, and then we have an auto-generated service account
upvoted 4 times
  AGROS 1 year, 2 months ago

Seems like according to the link https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp
Step 2. Enable GCP Security Command Center API
upvoted 2 times
  AGROS 1 year, 2 months ago

My fault: Screen data is correct
Disregard the previous message.
For all the GCP projects in your organization, you must also:
Set up GCP Security Command Center using these instructions from the GCP documentation.
Enable Security Health Analytics using these instructions from the GCP documentation.
upvoted 1 times

Given answer was correct
upvoted 2 times
  Silent_Muzinde 1 year, 9 months ago

the provided answer is correct
upvoted 1 times
Solution: From Regulatory compliance, you download the report.
A. Yes
B. No
Correct Answer: B
Reference:
  Abdul11 7 months ago

Correct answer
upvoted 1 times
  LadyDiana 10 months, 4 weeks ago

Selected Answer: B
Based on the link, once you are on the full details page of one of the alerts,
1. Click on “Next: Take Action”
2. Select: “Prevent future attacks” - as this provides security recommendations
upvoted 1 times
  LadyDiana 10 months, 4 weeks ago

In addition to #2, you can either choose “Prevent future attacks” OR “Mitigate the threat” as options since the “Mitigate the threat” provides
remediation steps.
upvoted 3 times

The correction option would be to choose "mitigate the threat" as the recommendations from this tab resolves the alert, whereas the other
"Prevent.." Just provides recommendations in general.
upvoted 2 times

Selected Answer: B
Best answer
upvoted 1 times

Correct - No
upvoted 3 times

Correct answer
upvoted 1 times

upvoted 1 times
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section.
A. Yes
B. No
Correct Answer: A
Reference:

very correct, you need to mitigate the issue
upvoted 8 times
  ehsanhabib Most Recent  11 months, 2 weeks ago

Selected Answer: A
cORRECT
upvoted 4 times

Selected Answer: A
Best option
upvoted 3 times

Selected Answer: A
Looks right to me.
upvoted 3 times

Correct.
upvoted 2 times

Yes, Correct
upvoted 2 times
  kwach 1 year, 10 months ago

answer is A
upvoted 3 times
You have an Azure subscription that has Azure Defender enabled for all supported resource types.
You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event
management (SIEM) solution.
To which service should you export the alerts?
A. Azure Cosmos DB
B. Azure Event Grid
C. Azure Event Hubs
D. Azure Data Lake
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/security-center/continuous-export?tabs=azure-portal

Correct answer, from the provided link in the answer it is explained: Continuous export lets you fully customize what will be exported, and where it
will go. For example, you can configure it so that:
All high severity alerts are sent to an Azure Event Hub

All medium or higher severity findings from vulnerability assessment scans of your SQL servers are sent to a specific Log Analytics workspace
Specific recommendations are delivered to an Event Hub or Log Analytics workspace whenever they're generated
The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more
upvoted 15 times
  Tx4free Most Recent  11 months, 2 weeks ago

Selected Answer: C
Best answer
upvoted 1 times
  dangerdizzy 1 year ago

Yes the answer is correct. event hubs.
upvoted 1 times

Correct answer - Event Hubs.
upvoted 3 times
You are responsible for responding to Azure Defender for Key Vault alerts.
During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node.
What should you configure to mitigate the threat?
A. Key Vault firewalls and virtual networks
B. Azure Active Directory (Azure AD) permissions
C. role-based access control (RBAC) for the key vault
D. the access policy settings of the key vault
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/network-security

A is correct.
B has nothing to do with Key Vault.
C & D only check against user permissions to key vault and not suspicious IP addresses.
upvoted 45 times
  NickHSO 1 year, 2 months ago

upvote for additional knowledge
upvoted 9 times
  albd Highly Voted  1 month, 4 weeks ago

upvoted 5 times
  Haha0010 Most Recent  1 month ago

Selected Answer: A
In exam today (16 jan 2023)
upvoted 4 times
  xbonex99 7 months ago

If detection is based on IP or node (network). Solution would be firewall.
If detection is based on access or user related, then the solution is related with updating or modifying the policy.
upvoted 2 times
  subhuman 11 months, 1 week ago

Selected Answer: A
Answer is correct. To be able to prevent unauthorized access to the key vault through suspicious IPs you have to change the networking settings
under the key vault resource
upvoted 3 times
HOTSPOT -
You need to use an Azure Resource Manager template to create a workflow automation that will trigger an automatic remediation when specific
security alerts are received by Azure Security Center.
How should you complete the portion of the template that will provision the required Azure resources? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/quickstart-automation-alert
  Discuss4certi Highly Voted  1 year, 4 months ago

correct, in the provided link you can find the json with this script.
https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.security/securitycenter-create-automation-for-
alertnamecontains/azuredeploy.json
upvoted 21 times
  albd Highly Voted  1 month, 4 weeks ago
upvoted 9 times

Question in Exam today, but you have to choose the end option, for example, answer for second option is 'triggers'
upvoted 4 times
  kushagrasharma172 2 months, 1 week ago

The given answer is correct.
upvoted 1 times
You have an Azure subscription that contains a Log Analytics workspace.

You need to enable just-in-time (JIT) VM access and network detections for Azure resources.
Where should you enable Azure Defender?
A. at the subscription level
B. at the workspace level
C. at the resource level
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/enable-azure-defender
  Daniel9527 Highly Voted  1 year, 1 month ago

"Enabling it at the workspace level doesn't enable just-in-time VM access, adaptive application controls, and network detections for Azure
resources. In addition, the only Microsoft Defender plans available at the workspace level are Microsoft Defender for servers and Microsoft
Defender for SQL servers on machines."
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security
upvoted 11 times
  Malik2165 Highly Voted  1 year, 2 months ago

you can do it two ways
- at Subscription Level
- at Resource Level
upvoted 6 times

https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction#defender-for-servers-plans
upvoted 1 times

But JIT Requires Microsoft Defender for Servers Plan 2 to be enabled on the subscription, then A is correct and best option.
upvoted 1 times
  TiredofTesting Most Recent  1 month, 3 weeks ago

Selected Answer: A
In Azure, -> Defender for Cloud -> Environment Settings -> select the subscription to enable all.
upvoted 2 times

Selected Answer: A
Best option
upvoted 3 times

JIT Requires Microsoft Defender for Servers Plan 2 to be enabled on the subscription.
upvoted 2 times

Correct - at Subscription level.
upvoted 4 times

You can protect an entire Azure subscription with Azure Defender and the protections will be inherited by all resources within the subscription.
upvoted 2 times
You use Azure Defender.

You have an Azure Storage account that contains sensitive information.
You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address.
A. From Azure Security Center, enable workflow automation.
B. Create an Azure logic app that has a manual trigger.
C. Create an Azure logic app that has an Azure Security Center alert trigger.
D. Create an Azure logic app that has an HTTP trigger.
E. From Azure Active Directory (Azure AD), add an app registration.
Correct Answer: AC
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=azure-security-center
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation

A +C looks ok.
Seems correct you want a security trigger for the login and you use this trigger to start the automation workflow with the powershellscript
upvoted 16 times
  Tx4free Most Recent  11 months, 2 weeks ago

Selected Answer: AC
Best options
upvoted 4 times

Selected Answer: AC
Given answer looks good to me.
upvoted 2 times

Selected Answer: AC
Correct
upvoted 3 times
  macco455 1 year ago

Selected Answer: AC
yeppers
upvoted 3 times

Correct A and C
upvoted 2 times
HOTSPOT -
You manage the security posture of an Azure subscription that contains two virtual machines name vm1 and vm2.
The secure score in Azure Security Center is shown in the Security Center exhibit. (Click the Security Center tab.)
Azure Policy assignments are configured as shown in the Policies exhibit. (Click the Policies tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-restrict-unauthorized-network-access/ba-p/1593833
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-secure-management-ports/ba-p/1505770

YNY is correct
Q3: JIT is about port control. Fix management port = +4 points
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
upvoted 18 times
  MadLad84 5 months, 3 weeks ago

Thanks for the clear explanation
upvoted 2 times
  KaiserdomTW Highly Voted  1 year, 10 months ago

Given answers are correct!
upvoted 14 times
  Avishdeep Most Recent  4 months ago

Correct - Yes, No, Yes.
upvoted 3 times
  subhuman 11 months, 1 week ago

Easy one.
Answer is correct !
upvoted 2 times

Correct - Yes, No, Yes.
upvoted 2 times
  rk4ai 1 year, 5 months ago

Yes No Yes is correct
upvoted 1 times

Correct answer
upvoted 1 times
  Beitran 1 year, 9 months ago

Shouldn't it be 8, since you're fixing the "management port" issue as well?
upvoted 1 times

Nvm, JIT remediation only applies to "Security Control: Secure Management Ports", not to "Security Control: Restrict Unauthorized Network
Access", which indicates, for example, that the VM doesn't have an NSG: https://techcommunity.microsoft.com/t5/azure-security-
center/security-control-restrict-unauthorized-network-access/ba-p/1593833
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-secure-management-ports/ba-p/1505770
upvoted 5 times

In my opinion, given answers are correct!
upvoted 1 times
DRAG DROP -
You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects your environment.
You need to use Microsoft Defender Security Center to request remediation from the team responsible for the affected systems if there is a
documented active exploit available.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Select and Place:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-defender-atp-remediate-apps-using-mem/ba-p/1599271

Correct answer is as shown.
Open Security.microsoft.com --> Enpoints --> Vulnerabilty Management --> Weakness
Search/select CVE and click "Go to related security recommendations"
Click on Security recommendation task i.e. "update putty to version x.x.x"

Click on Request Remediation.
Tested on live tenant 19/09

upvoted 24 times
  Haha0010 Most Recent  1 month ago
upvoted 3 times

upvoted 4 times
  Kanoniermalri 5 months ago

Is this question still valid?
upvoted 1 times
  trevax 6 months ago

deprecated
upvoted 1 times
  TheMCT 1 year ago

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft
Defender plans. The answers in this are based on Azure Security Center.
Correct answer is as shown.

Open Security.microsoft.com --> Enpoints --> Vulnerabilty Management --> Weakness
Search/select CVE and click "Go to related security recommendations"
Click on Security recommendation task i.e. "update putty to version x.x.x"
Click on Request Remediation.
upvoted 4 times

Correct
upvoted 3 times

What should you do?
A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section.
B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.
C. From Regulatory compliance, download the report.
D. From Recommendations, download the CSV report.
Correct Answer: B
Reference:
  NickHSO Highly Voted  1 year, 2 months ago

it is B. With the 'Mitigate the threat' action you receive recommendations to mitigate this threat. The 'Prevent future attacks' action provides
security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks.
upvoted 17 times

Correct answer - B
upvoted 7 times

Selected Answer: B
The correct answer is B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.
To view recommendations to resolve a security alert in Azure Security Center, you should follow these steps:
Go to the Security alerts page in Security Center.

Select the specific security alert that you want to view recommendations for.
Select the Take Action button.
Expand the Mitigate the threat section to view the recommended steps for resolving the alert.
These recommendations provide detailed information and steps for addressing the security issue that is raised by the alert, and help you to prevent
future attacks on your resources. By following the recommendations, you can improve the security posture of your resources in Azure.
upvoted 2 times

B
Mitigate the threat - provides manual remediation steps (recommendations to resolve) for this security alert
But they forgot "select the alert"
upvoted 1 times

The answer is A as the question asks how to review recommendations to resolve this particular event.
Under Mitigate the threat it gives you recommendations on how to resolve this particular alert
Under prevent future attacks its all about recommendations in relation to prevent future attacks
upvoted 1 times

Sorry it should be A.
upvoted 1 times

Sorry folks I mean it should be B - Under Mitigate the threat it gives you recommendations on how to resolve this particular alert.
Under prevent future attacks its all about recommendations in relation to prevent future attacks so A is incorrect.
upvoted 1 times

I went for A because it says “select the Alert” The question says “resolve the alert” and then it must be B
upvoted 2 times
  Lion007 7 months, 4 weeks ago

Selected Answer: B
B is correct
upvoted 2 times
  Prem_119 8 months ago

Answer should be B, but one more point needs to be added in the answer that is Alert needs to be triggered, then select the alert, take actions and
Mitigate the threat
upvoted 2 times
  PhyMac 8 months ago

The answer should be A.
See the following URL.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts
"Mitigate the threat - provides manual remediation steps for this security alert
attacks"
Obviously, it is prevent furture attacks, not mitigate the threat, to view security recommendations.
upvoted 1 times

Selected Answer: B
mitigate
upvoted 2 times
  Shubham020 10 months, 4 weeks ago

Selected Answer: B
Correct one is B
upvoted 2 times
  Sorrynotsorry 11 months, 1 week ago

Selected Answer: B
B and only B
upvoted 2 times

Selected Answer: B
Best option
upvoted 2 times

Selected Answer: A
A is the correct answer
upvoted 1 times
  prabhjot 11 months, 2 weeks ago

It is B not A
upvoted 2 times
  Tracebuster 1 year ago

B correct answer
upvoted 2 times
  MachoRico 1 year ago

at the moment of this comment, ASC has been renamed to Microsoft Defender for Cloud.
In Defender for Cloud, it definitely should be answer A.
(But most likely this question will no longer in the exam)
upvoted 1 times
  rhayy 1 year, 1 month ago

Selected Answer: B
the correct answer is B
upvoted 3 times
You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server.
You are troubleshooting an issue on the virtual machines.
In Security Center, you need to view the alerts generated by the virtual machines during the last five days.
What should you do?
A. Change the rule expiration date of the suppression rule.
B. Change the state of the suppression rule to Disabled.
C. Modify the filter for the Security alerts page.
D. View the Windows event logs on the virtual machines.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules

I think this is incorrect and the answer should be C - Modify the filter for the Security alerts page.
Answer B would prevent future alerts from being supressed but the question is asking to view alerts created in the last 5 days - these would have
been dismissed by the supression rule and to view them you need to alter the filter to display dismissed alerts.
Ref: https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules#what-are-suppression-rules
upvoted 40 times

Exact Thoughts! The answer is C.
upvoted 1 times
  Ferrix Highly Voted  1 year, 3 months ago

Corret answer is C
upvoted 13 times
  Valunchai Most Recent  21 hours, 48 minutes ago

Selected Answer: B
First, Disable suppressed rule and filter or scroll to see last 5 days alert.
upvoted 1 times

Selected Answer: C
C is the correct one in my opinion.
upvoted 1 times
  Haha0010 1 month ago

Selected Answer: C
upvoted 2 times
  mystudydumps 1 month, 3 weeks ago

Suppression rules don't work retroactively - they'll only suppress alerts triggered after the rule is created. Also, if a specific alert type has never
been generated on a specific subscription, future alerts of that type won't be suppressed. For a rule to suppress an alert on a specific subscription,
that alert type has to have been triggered at least once before the rule is created.
upvoted 1 times

Selected Answer: C
in this link you can clearly see that there is not "Disable" option to suppression rule. You can only edit or delete it.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules
upvoted 2 times
  A_core 2 months, 2 weeks ago

the way i understand this, suppression rules is in effect. It make sense to disable the rules to give way for troubelshooting,
upvoted 1 times
Selected Answer: C
C: Modify the filter.
You goto the Azure Security Alerts:

https://portal.azure.com/#view/Microsoft_Azure_Security_AzureDefenderForData/AlertsGridBlade
There is a default filter: Status == Active, In Progress

Click on it to modify the Values. You can now select Dismissed and Resolved.
upvoted 2 times
  Jadeitalia365 4 months, 3 weeks ago

Selected Answer: C
Corret answer is C
upvoted 1 times
  Fukacz 5 months, 2 weeks ago

Selected Answer: B
By default, all alerts are visible, so you cannot change creation time. Also you cannot enable "see suppressed alerts".
You need to disable suppression to see it.
upvoted 2 times

Correction, you can just modify. C is correct.
upvoted 1 times

B
You can't add a filter to find suppressed alerts.
https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-alerts?view=o365-worldwide
So first you need to disable de suppresion rule and i suppose that this make appear those alerts in the last 30 days.
upvoted 2 times
  somsom 6 months, 2 weeks ago

answer is c
upvoted 2 times

Selected Answer: C
C for correct.
upvoted 2 times
  CatoFong 7 months, 1 week ago

Selected Answer: C
Correct answer is C
upvoted 2 times

Selected Answer: C
Wrong. It should be C
upvoted 2 times

Selected Answer: B
It is Answer B.
The logic here is that the alerts have been supressed, and therefore you won't be able to see the alerts until you disabled the rule.
Answer C may change the filter, however changing the filter won't matter because the supresssion rule is still active. Godsky is correct
upvoted 2 times
  lhadam_ 1 week, 4 days ago

lol no
upvoted 1 times
HOTSPOT -
You have an Azure Storage account that will be accessed by multiple Azure Function apps during the development of an application.
You need to hide Azure Defender alerts for the storage account.
Which entity type and field should you use in a suppression rule? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts-are-now/ba-p/1404920

Entity Type = Azure Resource (Azure Storage is a Resource)
Field = Resource ID (All Azure resources have an ID)
Correct.
upvoted 21 times
Correct! ✌
upvoted 1 times

...but if it's accessed by multiple Azure Function Apps -- each would have a different Resource ID, right? (So...you would need to know the resource
ID's for each Function App that will be accessing it...)
upvoted 1 times
  herta 1 month, 2 weeks ago

no you have only one storage
upvoted 2 times

Very correct .
upvoted 2 times
You create an Azure subscription.

You enable Azure Defender for the subscription.
You need to use Azure Defender to protect on-premises computers.
What should you do on the on-premises computers?
A. Install the Log Analytics agent.
B. Install the Dependency agent.
C. Configure the Hybrid Runbook Worker role.
D. Install the Connected Machine agent.
Correct Answer: A
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-
premises) machines to monitor for security vulnerabilities and threats.
Data is collected using:
✑ The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your
workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running
processes, machine name, IP addresses, and logged in user.
✑ Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Security Center regarding specialized
resource types.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Correct - A
upvoted 12 times
  Haha0010 Highly Voted  1 month ago

Selected Answer: A
upvoted 5 times

If am not wrong the Connected Machine agent is used to protect servers, not workstations. So, in the case of on-premises workstations, you would
install the Log Analytics agent, not the Connected Machine agent.
upvoted 2 times

upvoted 2 times

upvoted 3 times
  sukhdeep 2 months ago

I am confused here. Are asking for servers or endpoint devices?
upvoted 1 times

Selected Answer: A
A = 100%
upvoted 1 times
  AbdulMueez 9 months ago

Option A is correct
upvoted 1 times

Selected Answer: A
Best option
upvoted 2 times

I dont think the correct answer is here. IT should be Azure Guest agent as that could then install/configure windows defender thru the windows
defender portal(unless my thinking is skewed)
upvoted 1 times

i stand corrected, given answer is correct
upvoted 3 times
  rabusiak 1 year, 2 months ago

I would say install connected machine agent (use Azure Arc) to mimic on prem server as azure resource and enable for it Microsoft defender for
Cloud. It will use log analitics agent to parse logs but log analitics agent itself will not connect on prem server to Defender.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc
upvoted 5 times
  CertKid 1 year ago

A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've installed the Log Analytics agent on it - appears in
Defender for Cloud with recommendations like your other Azure resources.
From your source. It's Log Analytics Agent.

upvoted 9 times
  Shubham020 10 months, 4 weeks ago

perfect explanation
upvoted 1 times

You nailed it and it is also in the official MS course Content Lab( Ans is A)
upvoted 1 times
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and
potential successful brute force attacks.
The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The
alerts appear in
Azure Security Center.
You need to ensure that the security administrator receives email alerts for all the activities.
What should you configure in the Security Center settings?
A. the severity level of email notifications
B. a cloud connector
C. the Azure Defender plans
D. the integration settings for Threat detection
Correct Answer: A
Reference:
https://techcommunity.microsoft.com/t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518

Selected Answer: A
Correct Answer -\^
upvoted 2 times

Selected Answer: A
Email notifications are free; for security alerts, enable the enhanced security plans
https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications
upvoted 4 times

Selected Answer: A
Best option
upvoted 3 times

Thought the answer is correct, but it should be alert level of "Incidents" not "email". Please refer the given link.
upvoted 1 times

You are overthinking this Question :) . The severity level of email notifications [within the incident notifications rules needs to be adjusted]
upvoted 3 times

Correct - A
upvoted 3 times
DRAG DROP -
You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity.
You need to hide the alerts automatically in Security Center.
Which three actions should you perform in sequence in Security Center? Each correct answer presents part of the solution.
Select and Place:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts-are-now/ba-p/1404920
  Haha0010 Highly Voted  1 month ago

upvoted 7 times
  ACSC Most Recent  3 months ago
Answer is correct.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
upvoted 4 times

Understand that "select security alerts" means "go to security alerts page".
"Select Suppression rules"= "select the suppression rules link at the top of the page"
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules
upvoted 3 times

the sequence is correct
upvoted 2 times

You can only select one security alert and create a supression rule for it. When selecting multiple security alerts and click 'Supression rules' then
click 'Create new suppression rule', the drop down menu under Alerts (when selecting 'Custom') would allow you to select only one alert. That's
why I find the answer wrong in terms of sequence of actions. Selecting the security alert (not alerts!) should be last.
upvoted 2 times
DRAG DROP -
You have an Azure subscription.
You need to delegate permissions to meet the following requirements:
✑ Enable and disable Azure Defender.
✑ Apply security recommendations to resource.
Which Azure Security Center role should you use for each requirement? To answer, drag the appropriate roles to the correct requirements. Each
role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Reference:

Answer is incorrect - the link provided in the answer - https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions shows
the least priv roles would be
-Sec Admin
-Resource Group Owner (this has lower priv than subscription contributor and can still apply security recommendations)
upvoted 41 times

It is a tricky question. Resource Group Owner - will not provide access to Subscription, so you will not see any configuration in MS defender for
cloud (ex.ASC).
Sub Contributor will allow to do all tasks.
upvoted 12 times
  FrostForrest 11 months, 1 week ago

Look at the question. It states resources within a subscription. Without knowing the design of the subscription, only allocating a Resource
Group Owner would be insufficient.
upvoted 1 times
Avoid assigning broader roles at broader scopes . By limiting roles and scopes, you limit what resources are at risk if the security principal is
ever compromised.
upvoted 2 times

so Resource Group owner looks fine
upvoted 3 times
  shachar_ash 7 months ago

what if the resources span across multiple RGs?
upvoted 2 times

Answer is correct.
upvoted 7 times
  Ramkid Most Recent  1 month, 1 week ago

Correct Answer
Box1 : Security Admin
Box2 : Resource Group Owner
https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 5 times
  Zak366 1 week, 4 days ago

Perfect link, following principle of least privilege
upvoted 1 times

it is clearly mentioned in the following link that for disabling/enabling you can use "Security Admin" at least and for applying security
recommendations at least you need "Ressource Group Contributor or Owner". here we have only owner not contributor.
upvoted 2 times
  Sripada41 2 months, 3 weeks ago

Correct
upvoted 1 times
  sainfosec 6 months, 3 weeks ago

As per the given link, the answer should be Security Admin and Resource Group owner. Since in question, the ask is to apply security
recommendation to a resource.
upvoted 3 times

Sec Admin & RG Owner by least privilege
upvoted 2 times
  Damian367 10 months ago

Sec Admin / RG Contributer as per https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
upvoted 4 times

Answer is correct
sec admin
sub contributor
**Resource Group Owner - not applicable here - wrong answer
upvoted 4 times
  serget12 11 months, 2 weeks ago

contributor at the Subscription Level allows you to Enable/Disable Defender Plans...not what is requested. Owner/Contributor at the RG allows to
apply recommendations but not Enable/Disable plans. Sec Admin / RG Owner is the right match.
upvoted 1 times
  iov 12 months ago

Sec Admin
-Resource Group Owner
upvoted 2 times

Answer is correct
upvoted 2 times
  CertKid 1 year ago
If it's subscription level, wouldn't it be....

1. Subscription owner
2. Subscription contributor
Otherwise it is:
- Sec admin
- Resource group owner
upvoted 2 times

Answer looks good to me
upvoted 3 times

As per the referenced URL, the given answer is correct
Sec Admin - Enable / Disable Defender
Contributor - Apply recommendations.
All while adhering to least privilege access

upvoted 4 times

I think the given answer is wrong, below answer should be correct:
1. Subs Owner
2. Security Admin
upvoted 2 times

Wrong way around. Security Admin can enable/disable Azure Defender but not make changes to resources. Subscription contributor can
implement changes tk resources.
upvoted 7 times
HOTSPOT -
You have an Azure subscription that uses Azure Defender.
You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts.
You need to create an Azure policy that will perform threat remediation automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/security-
center/workflow-automation
  Mthaher Highly Voted  9 months, 4 weeks ago

Yes Correct
Append is used to add additional fields to the requested resource during creation or update
The following effects are deprecated:
EnforceOPAConstraint
EnforceRegoPolicy
upvoted 5 times
  scruzer Most Recent  3 days, 19 hours ago

Repeated question.
upvoted 1 times
  masterofnetscaler 3 months ago

Yes.Correct
upvoted 2 times

Correct answers. DeployIfNotExist explained here https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists-
properties
upvoted 3 times
Yes. Correct
upvoted 3 times
You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning
enabled.
You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.
A. From Azure Security Center, add a workflow automation.
B. On VM1, run the Get-MPThreatCatalog cmdlet.
C. On VM1 trigger a PowerShell alert.
D. From Azure Security Center, export the alerts to a Log Analytics workspace.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide
  Lion007 Highly Voted  7 months, 3 weeks ago

Correct asnswer. Microsoft docs say: "For a rule to suppress an alert on a specific subscription, that alert type has to have been triggered at least
once before the rule is created." https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
upvoted 16 times
  Mthaher Highly Voted  9 months, 4 weeks ago

Correct , you need to generate the alert , then create the suppression rule
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#what-are-suppression-rules
upvoted 5 times
  jrjrjrchlv Most Recent  1 month, 1 week ago

Selected Answer: C
You should first C. trigger a PowerShell alert on VM1 to create a custom alert suppression rule that will suppress false positive alerts for suspicious
use of PowerShell on VM1. After triggering the alert, you can use the information provided in the alert to create a suppression rule that will prevent
similar alerts from being generated in the future.
upvoted 2 times

Yep yep!
upvoted 1 times

Selected Answer: C
First you need an alert
upvoted 3 times

Selected Answer: C
C for correct
upvoted 2 times
  vnez 6 months, 1 week ago

Selected Answer: C
Correct!
upvoted 2 times

Selected Answer: C
C is correct. Documentation provided by Lion007 and Mthaher
upvoted 3 times
  sadako 10 months ago

Selected Answer: A
Should be A
upvoted 3 times
  j888 9 months, 3 weeks ago

I think C is correct. You will need an alert for this specific trigger and then you will be able to suppress it.
A is for automation response not supression.
upvoted 5 times
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
A. Yes
B. No
Correct Answer: B
Reference:
  Osamat98 Highly Voted  10 months ago

Should Be Yes A
upvoted 11 times
  Lone__Wolf Most Recent  1 week, 1 day ago

A is the way to go!
upvoted 1 times
  Xyz_40 5 months ago

answer is A, YES. Brcause auto provisioning is already turned on
upvoted 3 times

Selected Answer: A
You need both Azure Arc to see the VM and the LAW agent.
Now, the agent can be automatically deployed after Azure Arc is deployed. Answer should be A) Yes.
upvoted 4 times
  amsioso 5 months, 1 week ago

B
You also need to install Log Analytics "to monitor the virtual machines using -azure Defender".
"To connect hybrid machines, you install the Azure Connected Machine agent on each machine. This agent does not deliver any other functionality,
and it doesn't replace the Azure Log Analytics agent / Azure Monitor Agent. The Log Analytics agent or Azure Monitor Agent for Windows and
Linux is required in order to:
Proactively monitor the OS and workloads running on the machine

Manage it using Automation runbooks or solutions like Update Management
Use other Azure services like Microsoft Defender for Cloud"
https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview
upvoted 2 times

Sorry you need to install Log Analytics manually or when you enable auto provisioning of Log Analytics in "Autoprovisioning" tag.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-feature
So still B
upvoted 2 times
  Sango 5 months, 4 weeks ago

Should be A. You can't onboard AWS without Azure Arc.
upvoted 1 times
  Stiobhan 5 months, 4 weeks ago

Answer is correct. Even though Azure Arc is deployed, it still needs the Log Analytics installed which is not mentioned here. There is another
question which does include the whole answer.
upvoted 2 times

I also went for A but there is a note.
Note
Defender for Cloud's auto-deploy tools for deploying the Log Analytics agent works with machines running Azure Arc however this capability is
currently in preview . When you've connected your machines using Azure Arc, use the relevant Defender for Cloud recommendation to deploy the
agent and benefit from the full range of protections offered by Defender for Cloud:
So because of the preview it is B

upvoted 3 times

Auto provisioning is enabled. Adding to arc should be sufficient - a yes from me.
upvoted 3 times

This is a really bad question as adding to arc is part of the answer, not the full answer...
upvoted 3 times

Selected Answer: A
A is correct answer
upvoted 2 times

Selected Answer: B
B is Correct. The full correct answer should be "You enable Azure Arc to onboard the virtual machines to Azure Arc, then you enable auto-
provisioning to install the Log Analytics agent on the virtual machines automatically."
upvoted 2 times
  Darkren4eveR 9 months, 1 week ago

NO: Si va a incorporar máquinas que se ejecutan en Amazon Web Services (AWS), el conector para AWS de Defender for Cloud controla de forma
transparente y automática la implementación de Azure Arc. Obtenga más información en Conectar cuentas de AWS a Microsoft Defender for
Cloud.
upvoted 2 times
  Drui 9 months ago

That's for AWS accounts, the question says VMs on AWS. This article is from this year and it says you can use Azure-Arc for VMs on AWS and
other cloud providers
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-how-to-connect-aws-machines-to-microsoft-defender/ba-p/3251096
upvoted 1 times
  Oluwafida 9 months, 1 week ago

Answer should be A
It is a non Azure machine which should require the use of the Azure Arc.
upvoted 2 times
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You manually install the Log Analytics agent on the virtual machines.
A. Yes
B. No
Correct Answer: B
Reference:
  ejml Highly Voted  9 months, 2 weeks ago

Wrong answer. it should be A.
Defender for Cloud with recommendations like your other Azure resources.
upvoted 7 times

It's B because it doesn't mention Azure Arc, it just says Log analytics agent (which by the way is going to be deprecated and replaced by Azure
monitor agent) https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows
upvoted 7 times
  Anonymousse 4 months, 4 weeks ago

But the Tip on that link says:
Tip
If you're onboarding machines running on Amazon Web Services (AWS), Defender for Cloud's connector for AWS transparently handles the
Azure Arc deployment for you. Learn more in Connect your AWS accounts to Microsoft Defender for Cloud.
upvoted 1 times
  Sri534 Most Recent  2 days, 5 hours ago

B is correct .. Explanation form ChatGPT
No, manually installing the Log Analytics agent on the virtual machines is not the correct solution for monitoring the virtual machines using Azure
Defender after enabling auto-provisioning.
When Azure Defender is enabled with auto-provisioning, it automatically deploys the necessary monitoring agents on the virtual machines. In this
case, since you have deployed Linux virtual machines on AWS, you would need to configure the Azure Defender for servers (Linux) solution to
monitor these virtual machines. Once enabled, Azure Defender for servers (Linux) will automatically deploy the necessary monitoring agents on the
virtual machines without the need for manual installation.
upvoted 2 times
  Phantasm 2 weeks, 1 day ago

Selected Answer: B
B is correct. In order to monitor Linux virtual machines on AWS with Azure Defender, you need to install the Log Analytics agent manually on the
virtual machines.
upvoted 2 times

Selected Answer: B
The question has few traps.
1. You have Linux machines on AWS. (don't specify if already onboarded)
2. You deploy a solution (Azure defender and enable auto provisioning) This doesn't mean any interaction with the previous Linux Machines.
HERE: YOU NEED TO MONITOR THOSE VM WITH AZURE DEFENDER. meaning first we need to do the first step to monitor them, and that first step
is not install the Log analytics agent. First we should enable Azure Arc on them. So I think answer is no B
upvoted 3 times
  Sango 6 months, 3 weeks ago

These are non-Azure, AWS PCs. You need to link the AWS environment using Azure Arc first.
upvoted 3 times

Selected Answer: B
B is Correct. The full correct answer should be "You enable Azure Arc to onboard the virtual machines to Azure Arc, then you enable auto-
provisioning to install the Log Analytics agent on the virtual machines automatically."
upvoted 4 times
  BlueLightRun 9 months ago

Selected Answer: B
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-portal
There is a manual process for adding VMs

upvoted 1 times

https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-loganalytic
upvoted 1 times
You have five on-premises Linux servers.

You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to use Defender for Cloud to protect the Linux servers.
What should you install on the servers first?
A. the Dependency agent
B. the Log Analytics agent
C. the Azure Connected Machine agent
D. the Guest Configuration extension
Correct Answer: B
Defender for Cloud depends on the Log Analytics agent.
Use the Log Analytics agent if you need to:
* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure
* Etc.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/os-coverage https://docs.microsoft.com/en-us/azure/azure-
monitor/agents/agents-overview#log-analytics-agent
  kykyrykyyy 2 days ago

Selected Answer: B
I would go for B. The question doesn't specify anywhere that you are using Azure Arc. It only mentions Defender for Cloud and that requires Log
Analytics agent.
upvoted 1 times
  TechMinerUK 6 days, 1 hour ago

Selected Answer: B
I'd say B based on the following piece of information from MS
"Defender for Cloud depends on the Log Analytics agent. Ensure your machines are running one of the supported operating systems for this agent
as described on the following pages"
If Defender for Cloud depends on Log Analytics then Log Analytics should be the component installed first, yest you will need the Azure Connected
Machine Agent however all dependencies should be installed prior to this
upvoted 1 times
  Lone__Wolf 6 days, 10 hours ago

Selected Answer: C
The Azure Connected Machine agent is required to connect the on-premises Linux servers to the Azure subscription and integrate them with
Microsoft Defender for Cloud. The agent enables communication between the servers and the Defender for Cloud service, allowing security events
and data to be collected and analyzed.
Once the Azure Connected Machine agent is installed, you can then install the Log Analytics agent to collect security data from the servers and
send it to the Log Analytics workspace in Azure. This will allow you to use Defender for Cloud to monitor the security of your Linux servers, identify
threats, and respond to security incidents.
upvoted 1 times
  Rockf0rd 6 days, 18 hours ago

It states that "The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your
corporate network or other cloud providers."
I do not see any word for other cloud environment here.
So I'd go for C
https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-overview
upvoted 1 times
  Rockf0rd 6 days, 18 hours ago

sorry I'd say B
upvoted 2 times
  Zak366 1 week, 4 days ago

Selected Answer: C
First user Arc to connect, then use Log analytics agent
upvoted 2 times
  nhmh90 2 weeks, 1 day ago
To connect hybrid machines to Azure, you install the Azure Connected Machine agent on each machine. This agent does not replace the Azure Log
Analytics agent / Azure Monitor Agent. The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:
-Proactively monitor the OS and workloads running on the machine
-Manage it using Automation runbooks or solutions like Update Management
-Use other Azure services like Microsoft Defender for Cloud
https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview
upvoted 2 times
  DoMing 2 weeks, 2 days ago

Selected Answer: C
C is correct
upvoted 1 times

Selected Answer: B
It says "What should you install on the servers first?"
C may be a requirement but i think it is something not needed to be installed but is a setup for connector.
upvoted 1 times

Selected Answer: C
https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-server
Here you can see a table where says "Protect on-premises servers: Onboard them as Azure Arc machines and deploy agents with automation
provisioning"
upvoted 1 times
  herta 3 weeks, 4 days ago

Selected Answer: C
To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud's enhanced security features.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
upvoted 1 times

Selected Answer: B
According to Microsoft Defender for Cloud:
"To onboard servers to Defender for Cloud:
1. Create a new workspace in which to store the data or use one of the workspaces listed below.
2. If applicable, select Upgrade to start a 30-day trial of Defender for Cloud.
3. Select Add Servers to view instructions on how to install the Log Analytics agent."
upvoted 2 times
  herta 1 month ago

Selected Answer: C
should be C
Defender for Cloud with recommendations like your other Azure resources
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc
upvoted 2 times
  03allen 1 month, 2 weeks ago

Selected Answer: C
Should be Arc first?
upvoted 2 times

To use Microsoft Defender for Cloud to protect on-premises Linux servers, you should first install the Log Analytics agent on the servers.
upvoted 2 times

Selected Answer: B
I select B
upvoted 3 times
  carlos_40 2 months ago

Selected Answer: C
I go for C: the Azure Connected Machine agent.
After that (Arc-enabled servers), we can install the Log Analytics agent.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-overview
C. the Azure Connected Machine agent
upvoted 2 times
Selected Answer: B
https://learn.microsoft.com/en-us/azure/defender-for-cloud/os-coverage#supported-operating-systems
upvoted 2 times
DRAG DROP -
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification.
The solution must generate a test email.
Select and Place:
Correct Answer:
Step 1: From Logic App Designer, create a logic app.

Create a logic app and define when it should automatically run
1. From Defender for Cloud's sidebar, select Workflow automation.
2. To define a new workflow, click Add workflow automation. The options pane for your new automation opens.
Here you can enter:

A name and description for the automation.
The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains
"SQL" is generated.
The Logic App that will run when your trigger conditions are met.
3. From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.
4. Etc.
Step 2: From Logic App Designer, run a trigger.
Manually trigger a Logic App -

You can also run Logic Apps manually when viewing any security alert or recommendation.
Step 3: From Workflow automation in Defender for cloud, add a workflow automation.
Configure workflow automation at scale using the supplied policies
Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate
security incidents.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

Answer is correct.
You should:
create the logic app
trigger the logic app to test
and finally add the workflow automation,
upvoted 3 times

This solution does not meet the sequence specified in the question. The solution must generate a test email.
Correct answer is:
1) Create logic app

2) Add workflow automation (specifies action - send email)
3) Trigger logic app (creates alert->workflow automation activates -> sends email)
upvoted 3 times
  BieLey 3 months, 2 weeks ago

But don't you need to run a trigger before you should to the workflow automation?
upvoted 2 times

Correct.
1. Create Logic App

2. trigger (test)
3. apply
upvoted 1 times

And what happend with "create a sample alert"??
upvoted 3 times
DRAG DROP
-
You have a Microsoft subscription that has Microsoft Defender for Cloud enabled.
You configure the Azure logic apps shown in the following table.
You need to configure an automatic action that will run if a Suspicious process executed alert is triggered. The solution must minimize
administrative effort.
Correct Answer:
  saurabh123sml Highly Voted  4 weeks ago

Filter by Alert Title
Take Action
Trigger Automated Response
upvoted 8 times
  ACSC Highly Voted  4 weeks, 1 day ago

Filter by alert title
Select Take action
Configure the Trigger automated response settings
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts
upvoted 6 times

Actually correct! Just pay attention to the link content.
"Trigger automated response - provides the option to trigger a logic app as a response to this security alert"
while
"Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent
future attacks"
upvoted 1 times
  QM21 Most Recent  1 month ago

Shouldn't it mitigate first?
upvoted 1 times
  ACSC 4 weeks, 1 day ago

No, you need to configure an automatic action. Mitigate the threat provides manual remediation steps.
upvoted 3 times
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
What should you install first on Server1?
A. the Microsoft Monitoring Agent
B. the Azure Monitor agent
C. the Azure Arc agent
D. the Azure Pipelines agent
Correct Answer: B
  appieh4ck Highly Voted  1 month ago

Selected Answer: C
Azure Arc for servers installed on your EC2 instances
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
upvoted 8 times
  nhmh90 2 weeks ago

Other extensions should be enabled on the Arc-connected machines:
-Microsoft Defender for Endpoint
-VA solution (TVM/Qualys)
-Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)
Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level.
All of your AWS accounts and GCP projects under the same subscription will inherit the subscription settings for the LA agent and AMA.
upvoted 1 times
  Rockf0rd Most Recent  6 days, 17 hours ago

Selected Answer: C
In the following article, it is clearly indicated that installing Azure Arc is a prerequisite which is the first thing to do
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
upvoted 2 times

Selected Answer: C
I will go with C as B doesn't state the correct agent name 'Azure Connected Machine agent'. So 'Azure Arc Agent' makes more sense. Further 'Azure
Connected Machine agent' and 'Microsoft Monitoring Agent' is not same.
upvoted 2 times
  Raminjan 1 week, 3 days ago

This is from MS documentation - Non-Azure: To install the agent on physical servers and virtual machines hosted outside of Azure (that is, on-
premises) or in other clouds, you must install the Azure Arc Connected Machine agent first, at no added cost.
upvoted 1 times
  Subhakaran 1 week, 5 days ago

Selected Answer: B

Use other Azure services like Microsoft Defender for Cloud
upvoted 1 times
  Subhakaran 1 week, 5 days ago


Use other Azure services like Microsoft Defender for Cloud
upvoted 1 times
  nhmh90 2 weeks ago
Selected Answer: B
-Proactively monitor the OS and workloads running on the machine

-Manage it using Automation runbooks or solutions like Update Management
-Use other Azure services like Microsoft Defender for Cloud
https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview
upvoted 3 times

It somehow confuses me.
Searching for the exact term "Azure Arc Agent" seems not right - with no hits. All it says is Azure-Arc enabled servers and "Azure Connect Machine
agent" as per https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment
Is it confirmed even without written documentation that Azure Arc Agent = Azure Connect Machine Agent?
I'm still thinking that B is the answer, unless otherwise there is Azure Connect Machine Agent in the choices.
upvoted 1 times
  Martiemark 2 weeks, 5 days ago

I think C is the correct answer. Is there anyone out there that can argue for B?
upvoted 2 times
  WRITER00347 3 weeks, 6 days ago

C. the Azure Arc agent
To collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud, you need to install the Azure Arc agent first on Server1. Azure
Arc allows you to manage your servers, including non-Azure servers, as if they were native Azure resources. By installing the Azure Arc agent on
Server1, you can onboard it to Azure and enable Azure services, such as Microsoft Defender for Cloud, to protect and monitor the server. The Azure
Arc agent enables the connection between the server and Azure, allowing for communication and data transfer between them. The other options
(Microsoft Monitoring Agent, Azure Monitor agent and Azure Pipelines agent) are used for different purposes and are not necessary for this
scenario.
upvoted 2 times
  Houssemonline 4 weeks ago

Selected Answer: C
i think C is true
upvoted 2 times
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1.
You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted.
What should you review?
A. the activity logs of storage1
B. the Azure Storage Analytics logs
C. the alert details
D. the related entities of the alert
Correct Answer: B

Selected Answer: B
Seems like the answer is actually correct.
"Azure Storage Analytics performs logging and provides metrics data for a storage account. You can use this data to trace requests, analyze usage
trends, and diagnose issues with your storage account."
upvoted 4 times

Selected Answer: B
Answer is correct. https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-logged-operations-and-status-messages#logged-
operations
upvoted 4 times
  appieh4ck 1 month ago

Selected Answer: A
To identify which blobs were deleted in the storage account, you should review the activity logs for the storage account in Azure Monitor. The
activity logs contain information about all the operations performed on the resources in the storage account, including delete operations. You can
filter the logs by operation type and time frame to narrow down the logs to the specific time period when the unusually high volume of delete
operations occurred. You can also use advanced filtering options to look for specific blobs. Additionally, you can use Azure Monitor's Log Analytics
to query and analyze the logs in more detail, which can help you identify patterns or trends in the logs.
upvoted 3 times

Activity logs contains events regarding to the storage account, not to the blobs.
upvoted 5 times
You need to filter the security alerts view to show the following alerts:
• Unusual user accessed a key vault

• Log on from an unusual location
• Impossible travel activity
Which severity should you use?
A. Informational
B. Low
C. Medium
D. High
Correct Answer: C

Selected Answer: C
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview#how-are-alerts-classified
upvoted 7 times
  Zak366 Most Recent  1 week, 4 days ago

Selected Answer: C
Medium is correct
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-fusion
upvoted 3 times
  jayek 3 weeks, 3 days ago

https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-fusion
upvoted 3 times
You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.
You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.
Which JSON key should you search?
A. Description
B. Intent
C. ExtendedProperies
D. Entities
Correct Answer: A
  VictorLiu Highly Voted  3 weeks, 6 days ago

Selected Answer: B
B. Intent
https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent
upvoted 8 times
  Fcnet 3 weeks, 5 days ago

Intent
PrivilegeEscalation string
Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network.
upvoted 2 times
  PhoenixSlasher Most Recent  5 days, 20 hours ago

Selected Answer: B
B. Intent
Personally find the extendedProperties to contain the data as well but Intent clearly defines Privilege Escalation without digging around in
extended properties.
upvoted 2 times
  certmancerty 1 week, 6 days ago

Selected Answer: B
B - https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?
tabs=HTTP#intent:~:text=%22High%22%2C-,%22intent%22%3A%20%22Execution%22%2C,-%22startTimeUtc%22%3A
upvoted 3 times

https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?
tabs=HTTP#intent:~:text=%22High%22%2C-,%22intent%22%3A%20%22Execution%22%2C,-%22startTimeUtc%22%3A
upvoted 2 times

The JSON key you should search for to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic is extendedProperties.
The extendedProperties key in the JSON structure of an alert contains the MITRE ATT&CK information for the alert, such as the tactics and
techniques used by the attacker. The key contains the tactic name in the MITRE ATT&CK framework, such as "Privilege Escalation", "Initial Access",
"Execution" and so on.
You can use the extendedProperties key to filter and search for alerts that are related to the Privilege Escalation tactic in your third-party SIEM
solution.
It's also important to note that, the other options A,B,C are not related to the MITRE ATT&CK information and are used for different purposes.
upvoted 1 times

so C. ExtendedProperties
upvoted 2 times

https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent
upvoted 2 times
this is for the intent answer wich is the right answer

upvoted 2 times
  JoshJosh 4 weeks ago

Entities
upvoted 1 times
DRAG DROP
-
You have 50 on-premises servers.
You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud deployment has Microsoft Defender for Servers
and automatic provisioning enabled.
You need to configure Defender for Cloud to support the on-premises servers. The solution must meet the following requirements:
• Provide threat and vulnerability management.

• Support data collection rules.
Correct Answer:
  AJ2021 Highly Voted  1 week, 5 days ago

upvoted 7 times
  herta Highly Voted  3 weeks, 4 days ago

for me it is 1-4-5
from the portal generate the script

install the agent on the on premise server with the script
install the azure monitor agent (for the data collection )
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection
https://learn.microsoft.com/en-us/azure/azure-arc/servers/learn/quick-enable-hybrid-vm
upvoted 5 times
  AJ2021 Most Recent  3 weeks, 4 days ago

Agree, the updated answer should be 1, 4, 5
upvoted 3 times

I guess this is outdated stuff. But Log Analytics option is out, since we need to support DCRs.
I would say, 1, 4, 5. By this exact order
upvoted 4 times
  JoshJosh 4 weeks ago

4,1,2 the steps
upvoted 1 times
HOTSPOT
-
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
Correct Answer:

upvoted 4 times
  Houssemonline 2 weeks ago

CORRECT ANSWER
upvoted 3 times

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/defender-for-cloud/quickstart-automation-
alert.md#:~:text=If%20your%20environment%20meets%20the%20prerequisites%20and%20you%27re%20familiar%20with%20using%20ARM%20t
emplates%2C%20select%20the%20Deploy%20to%20Azure%20button.%20The%20template%20will%20open%20in%20the%20Azure%20portal.
upvoted 1 times

answer is correct
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-automation-alert?tabs=CLI
upvoted 4 times
HOTSPOT
-
You have an Azure subscription that has Microsoft Defender for Cloud enabled for all supported resource types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Defender for Cloud.
You need to test LA1 in Defender for Cloud.
Correct Answer:
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed.
You need to simulate an attack on the virtual machine that will generate an alert.
A. Run the Log Analytics Troubleshooting Tool.
B. Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe.
C. Modify the settings of the Microsoft Monitoring Agent.
D. Run the MMASetup executable and specify the –foo argument.
Correct Answer: B
  watoz1851 1 day, 3 hours ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alert-validation#simulate-alerts-on-your-azure-vms-windows-
upvoted 1 times
  m_saeed 1 day, 8 hours ago

Selected Answer: D
chat GPT explanation,
To simulate an attack on the virtual machine that will generate an alert, you should first run the MMASetup executable and specify the –foo
argument. This will simulate an attack and generate an alert in Defender for Cloud. You can then view the alert in the Azure portal to verify that the
attack was successful.
upvoted 1 times
DRAG DROP
-
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running
Windows Server.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Correct Answer:
You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.
You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and
costs.
A. From the workspace created by Defender for Cloud, set the data collection level to Common.
B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.
C. From the Azure portal, create an Azure Event Grid subscription.
D. From the workspace created by Defender for Cloud, set the data collection level to All Events.
E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.
Correct Answer: AE
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user named User1.
You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Security operator
B. Security Admin
C. Owner
D. Contributor
Correct Answer: B

Selected Answer: B
https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy#who-can-edit-security-policies
upvoted 1 times
You have an Azure subscription that contains a user named User1.
User1 is assigned an Azure Active Directory Premium Plan 2 license.
You need to identify whether the identity of User1 was compromised during the last 90 days.
A. the risk detections report
B. the risky users report
C. Identity Secure Score recommendations
D. the risky sign-ins report
Correct Answer: B

Selected Answer: D
This report will provide information about any suspicious sign-ins that occurred during the specified time period.
upvoted 2 times
You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.
You need to onboard EC2-1 to Defender for Cloud.
What should you install on EC2-1?
A. the Log Analytics agent
B. the Azure Connected Machine agent
C. the unified Microsoft Defender for Endpoint solution package
D. Microsoft Monitoring Agent
Correct Answer: A
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual
machines that run Windows Server 2019.
You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements:
• Limit the maximum request time to two hours.

• Limit protocols access to Remote Desktop Protocol (RDP) only.
• Minimize administrative effort.
A. Azure AD Privileged Identity Management (PIM)
B. Azure Policy
C. Azure Bastion
D. Azure Front Door
Correct Answer: C

Selected Answer: B
chat GPT answer,
With Azure Policy, you can create a policy that will limit the maximum request time to two hours and limit protocols access to Remote Desktop
Protocol (RDP) only. This will minimize administrative effort and ensure that the virtual machines are secure.
upvoted 2 times
Question #1 Topic 3
DRAG DROP -
You plan to connect an external solution that will send Common Event Format (CEF) messages to Azure Sentinel.
You need to deploy the log forwarder.
Which three actions should you perform in sequence? To answer, move the appropriate actions form the list of actions to the answer area and
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog

correct
upvoted 20 times

Answer is correct
https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format#designate-a-log-forwarder-and-install-the-log-analytics-agent
upvoted 11 times

Correct answer. From the link Ken88 provided:
1- Installs the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes:
--- listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
--- sending the messages securely over TLS to your Microsoft Sentinel workspace, where they are parsed and enriched
2- Configures the built-in Linux Syslog daemon (rsyslog.d/syslog-ng) for the following purposes:
--- listening for Syslog messages from your security solutions on TCP port 514
--- forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226
The need for restarting the daemon and the agent is to ensure the changes take effect (on Linux this is required)
upvoted 8 times
  rupeshngp Most Recent  5 days, 7 hours ago
was in the exam today! The answer is correct!
upvoted 1 times
  Anko6116 1 week, 4 days ago

Answer is correct according to below article:
https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
upvoted 2 times

upvoted 5 times

Correct.
upvoted 4 times
  invaderfr 1 year, 5 months ago

agree with answers
upvoted 4 times
Question #2 Topic 3
HOTSPOT -
From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases#use-the-investigation-graph-to-deep-dive
  zaqwsx Highly Voted  1 year, 4 months ago
what is item? xD
IMO here can be also entities answer

upvoted 14 times

I think this is not correct because in this case, this is a Bookmark... and is like Remilia said: ''In the Entities tab, you can see all the entities that
you mapped as part of the alert rule definition.''
upvoted 2 times
  Haz56 Highly Voted  11 months, 1 week ago

Definitely "Entities", as this button shows items in 3 sections: 1) Entities involved in the incident (user, device, IP etc.), 2) Alerts and 3) Bookmarks.
These are the items associated with the incident.
upvoted 10 times
  Whatsamattr81 Most Recent  6 months, 1 week ago

Difficult call... I'd go with Entities for the second one.
upvoted 3 times

items are entities..
Correct answer is Processes and Entities
upvoted 7 times

Timeline != Items
upvoted 2 times
  josepedroche 1 year ago

Correct answers: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-incident-timeline/ba-p/2267683
upvoted 1 times
  Ana22 1 year ago

Based on the provided URL the given answer seems correct.
upvoted 2 times
  ScrubClub 1 year, 1 month ago

Did anyone get this question? What is an item anyway? Maybe the question is paraphrased?
upvoted 1 times
  soarstheclouds 10 months, 3 weeks ago

When I took the exam yesterday, the Timelines choice was removed.
upvoted 4 times
  Lapatiser 10 months, 3 weeks ago

Hi, The correct answer is entities right?
And how was your exam. Were the exam questions largely the same as Exam topic?
upvoted 1 times
  Nail 1 year, 1 month ago

I'm pretty sure they are looking for entities, not timeline.
upvoted 3 times
  tester18128075 1 year, 1 month ago

I think it is process and info
upvoted 1 times
  Remilia 1 year, 3 months ago

I believe the answer is correct for the 2nd one.
In the Timeline tab, review the timeline of alerts and bookmarks in the incident, which can help you reconstruct the timeline of attacker activity.
while in entities, ''In the Entities tab, you can see all the entities that you mapped as part of the alert rule definition.''
upvoted 6 times

I think the key word for the second one is "navigate": if you click on the timeline alerts, you won't navigate an item, your graph could change
completely, but if you click the "items" from Entities, then the focus in the map will change to the entity you selected.
The first answer I checked and when you hover over, the only related to the options is "Processes running on Host..."
upvoted 1 times
Question #3 Topic 3
DRAG DROP -
You have an Azure Sentinel deployment.
You need to query for all suspicious credential access activities.
Select and Place:
Correct Answer:
Reference:
https://davemccollough.com/2020/11/28/threat-hunting-with-azure-sentinel/
  examkid Highly Voted  1 year, 7 months ago

Correct, in the hunting dashboard you can select the 'Credential Access' tactic
upvoted 12 times

Microsoft Sentinel -> Hunting -> Add filter “Tactics”, select “Credential Access” -> Run All Queries
upvoted 8 times
  Lapatiser Most Recent  10 months, 3 weeks ago

This is not correct. Its supposed to be select hunting -> select new query -> filter by tactics.
If you "filter by tactics" after "selecting hunting", the option available will be to "run selected queries" not "run all queries"
upvoted 2 times

Microsoft Sentinel -> Hunting -> Add filter “Tactics”, select “Credential Access” -> Run All Queries
I have Sentinel and I'm looking at it now. This is exactly correct.
upvoted 10 times
  Sik4nd4r 1 year, 8 months ago

Correct answer
upvoted 2 times
Question #4 Topic 3
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel.
A. And a new scheduled query rule.
B. Add a data connector to Azure Sentinel.
C. Configure a custom Threat Intelligence connector in Azure Sentinel.
D. Modify the trigger in the logic app.
Correct Answer: B
  mmendozaf Highly Voted  1 year, 10 months ago

Personally i think that correct option is D.
upvoted 30 times

yes as Logic app is already available and it pre configure to trigger manual based ... now when you connect it as Playbook you need to change
the Trigger from manual to ..Sentinel based so Option is D
upvoted 6 times

But how do you search for that activation event if the logs aren't coming to sentinel? The key is "Fisrt", you need to get the events
onboarded and then import the app or chanf the trigger.
upvoted 4 times
  JhnCanthern12 Highly Voted  1 year, 8 months ago

Some people are saying this is correct as a logic app connector, actually this is referring to that as you have literally just deployed Sentinel, you
need to add the AAD Connector to get that in first before you do anything. Need the data there first.
upvoted 21 times
  madhatter 1 year, 7 months ago

agreed, you are working with an already deployed logic app and you just created a NEW sentinel deployment. You need the AAD Connector to
send the data first.
Provided answer "B" is correct.

upvoted 10 times

No. There is nothing to do with AAD Connector. This is not about threat hunting against AAD. It is about how to integrate Azure Logic App
to work with Azure Sentinel. You must modify existing Logic App and choose Azure Sentinel actions either the following ones:
- When a response to an Azure Sentinel Alert is triggered

- When Azure Sentinel incident creation rule was triggered
upvoted 11 times
  PJR 1 year, 4 months ago

Before the alert can be triggered you need to ingest the source of the alert - ie connect Azure AD via a data connector.

upvoted 6 times
  Lone__Wolf Most Recent  1 week, 1 day ago

Selected Answer: D
As per chat GPT the answer is D. Modify the trigger in the logic app.
The logic app is currently triggered manually, but to use it as a playbook in Azure Sentinel, it needs to be triggered automatically when certain
conditions are met. This requires modifying the trigger in the logic app so that it is triggered based on an event or a schedule in Azure Sentinel. For
example, you could trigger the logic app when a new user is created in Azure AD, or when a specific security alert is generated in Azure Sentinel.
Once the trigger in the logic app has been modified, you can proceed to the next steps, which may include adding a data connector to Azure
Sentinel, configuring a custom Threat Intelligence connector, and creating a scheduled query rule.
upvoted 2 times
  Matshedy 1 week, 6 days ago

Correct answer is D
upvoted 1 times
Selected Answer: B
I think maybe is B. MS Sentinel have out of the box connectors, but they as far as I undersand must be activated FIRST
https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory#connect-to-azure-active-directory
Connect to Azure Active Directory

In Microsoft Sentinel, select Data connectors from the navigation menu.
From the data connectors gallery, select Azure Active Directory and then select Open connector page.
Mark the check boxes next to the log types you want to stream into Microsoft Sentinel (see above), and select Connect.
So if i'm not confused (probably i'm) first would need to connect the newly deployed Sentinel to my AAD and after modify the logic app trigger.
upvoted 2 times

D. Modify the trigger in the logic app.
In order to use an existing logic app as a playbook in Azure Sentinel, you will first need to modify the trigger in the logic app. This will allow the
logic app to be triggered automatically by Azure Sentinel, rather than being triggered manually. Once the trigger has been modified, you will then
be able to configure the logic app as a playbook in Azure Sentinel.
upvoted 2 times
  appieh4ck 1 month ago

Selected Answer: B
first you need the connector otherwise communication is impossible with sentinel
upvoted 1 times

Selected Answer: D
To use the existing logic app as a playbook in Azure Sentinel, you should first modify the trigger in the logic app to allow it to be triggered by
Azure Sentinel.
Currently, the logic app is triggered manually, which means that it can only be initiated by a user manually clicking the "Run" button or by an
external system sending a request to the logic app's HTTP trigger. In order to use the logic app as a playbook in Azure Sentinel, you will need to
modify the trigger to allow it to be triggered by Azure Sentinel.
upvoted 1 times
  AMZ 3 months, 2 weeks ago

Data connector is already there cos it is being deployed manually - if not the playbook wouldn't work. therefore D is the right answer.
upvoted 1 times
  Goochhawk 4 months ago

Selected Answer: D
Answer is D
"After you onboard Microsoft Sentinel into your workspace, you can use data connectors to start ingesting your data into Microsoft Sentinel.
Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which you can integrate in real time. For example, the
Microsoft 365 Defender connector is a service-to-service connector that integrates data from Office 365, Azure Active Directory (Azure AD)..."
https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources
upvoted 1 times

I couldn't find mention to logic apps in data connector documentation. Thus D is the only option I could see.
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference
upvoted 1 times

B
You need first to connect your new deploy Sentinel to AAD and then modify the trigger in the logic app.
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
upvoted 1 times

Selected Answer: B
B is correct...need data first
upvoted 1 times

Selected Answer: B
Given answer is correct. The keyword in the question is "First". Don't assume the AAD connector is there. If you don't add it, or check it's added, the
logic app won't even work because no incidents will be generated in Sentinel to trigger your logic app.
upvoted 2 times
  valuze_sm 8 months, 3 weeks ago
Selected Answer: D
I vote for D. AAD Connector in Sentinel is not required to use Azure AD Actions inside Logic Apps. Of course you should enable the Connector to
generate alerts but not needed for a functioning Logic App.
upvoted 1 times

The question is not "How would you do it?" It is asking what you should do "first"... a common mistake analysis do is to assume the connector is
there and the KQL in the query will result in anything. If no results are generated, the analytics rule will not get triggered, so the playbook will
not trigger either. The keyword in the question is "first".
upvoted 1 times

and the question said you just deployed Sentinel, so there is no ground for the assumption that AAD connector is already set. The logic app
was set to trigger manually, so the FIRST thing I would do after deploying Sentinel and before I assume my playbook will work, I have to
make sure the Azure AD connector is set.
upvoted 1 times

Selected Answer: D
The question says the logic app "is used" to block Azure Active Directory (Azure AD) users, so it assumes the connector it's already setup, otherwise
it can't be used as it would fail
upvoted 1 times

From the question, the logic app existed before sentinel. It was just a standalone to disable accounts. You deploy Sentinel. With what will you
trigger this logic app ? You've just deployed sentinel - from where does it get its data to trigger ? Its a bad question, but B or D have equal
arguments for being correct.
upvoted 1 times
  homeysl 10 months, 1 week ago

Selected Answer: D
should be D
upvoted 2 times
Question #5 Topic 3
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.
A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.
You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine
learning.
What should you include in the recommendation?
A. built-in queries
B. livestream
C. notebooks
D. bookmarks
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebooks

Selected Answer: C
Jupyter notebooks allow you to supercharge your threat hunting and investigation by enabling documents that contain live code, visualizations,
and narrative text. These documents can be codified and served for specialized visualizations, an investigation guide, and sophisticated threat
hunting.
Additionally, notebooks can be used in security big data analytics for fast data processing on large datasets.
upvoted 1 times

Correct answer. Visualization + Machine Learning = Notebooks
upvoted 1 times

Yes Data Scientist use Jupyter Note book (Python code) - worj with ML tools
so Ans is Notebook
upvoted 2 times

Selected Answer: C
Best option
upvoted 2 times

Correct - Notebooks
upvoted 1 times
  sommy 1 year, 10 months ago

notebooks are for visualization
upvoted 4 times

correct
upvoted 1 times
Question #6 Topic 3
You have a playbook in Azure Sentinel.

When you trigger the playbook, it sends an email to a distribution group.
You need to modify the playbook to send the email to the owner of the resource instead of the distribution group.
What should you do?
A. Add a parameter and modify the trigger.
B. Add a custom data connector and modify the trigger.
C. Add a condition and modify the action.
D. Add an alert and modify the action.
Correct Answer: D
Reference:
https://azsec.azurewebsites.net/2020/01/19/notify-azure-sentinel-alert-to-your-email-automatically/

The answer is correct. You need to add a new parameter in Send email action. That parameter specifies who you want to send to.
upvoted 11 times

Should the answer be A then, not D?
upvoted 4 times

Because the question states that there is already an alert that "sends an email to a distribution group", you should add a parameter and
modify the existing one, right? I would go for A instead.
upvoted 2 times
  ariania 7 months, 2 weeks ago

i think its because you dont want to modify the trigger, rather the action.
upvoted 1 times
  samaras Most Recent  6 days, 1 hour ago

Selected Answer: D
D is the correct answer
upvoted 1 times

Selected Answer: D
D is the correct answer
upvoted 3 times
  AMZ 4 months ago

Its not A or B because they mention Trigger. You can't send email as a trigger then it must be action. Doesn't mention anything about incidents or
alerts so I don't think its D either. It must be C I'm guessing you can create a condition where it matches the resource owner then email owner
upvoted 2 times
  AMZ 4 months ago

I think you could do it with something like this playbook - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/playbooks-amp-
watchlists-part-1-inform-the-subscription-owner/ba-p/1768917
upvoted 1 times
  Jadeitalia365 5 months ago

Selected Answer: A
Correct answer is A
upvoted 2 times

Correct answer is A
upvoted 2 times

Selected Answer: A
the question states that there is already an alert that "sends an email to a distribution group", you should add a parameter and modify the existing
one, right? I would go for A instead.
upvoted 3 times

https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions
"Playbook is triggered by Microsoft Sentinel alert"
The alert is already created so we need to modify it
upvoted 1 times

i would go for A
upvoted 1 times

Selected Answer: D
Best option
upvoted 3 times

Selected Answer: D
Totally agree with D
upvoted 3 times

Selected Answer: D
I'm thinking D.
upvoted 3 times

It appears to be a variable, but that's not in the provided answers, so I guess parameter? https://techcommunity.microsoft.com/t5/azure-
sentinel/playbooks-amp-watchlists-part-1-inform-the-subscription-owner/ba-p/1768917
upvoted 2 times
  j888 9 months, 3 weeks ago

D is correct https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-a-playbook-on-demand
upvoted 3 times
Question #7 Topic 3
You provision Azure Sentinel for a new Azure subscription.

You are configuring the Security Events connector.
While creating a new rule from a template in the connector, you decide to generate a new alert for every event.
You create the following rule query.
By which two components can you group alerts into incidents? Each correct answer presents a complete solution.
A. user
B. resource group
C. IP address
D. computer
Correct Answer: CD
  hyperion Highly Voted  1 year, 7 months ago

Answer should be A, D. IP address data is removed from the query in the | summarize, and is not mapped to the IP custom entity.
upvoted 51 times
  madperro 1 year, 2 months ago

Correct answer.
upvoted 1 times
  NoNameP Highly Voted  1 year, 6 months ago

Correct answer A, D.
upvoted 9 times

Selected Answer: AD
To group alerts into incidents in Azure Sentinel, you can use the "user" and "computer" components in the rule query.
upvoted 1 times

Selected Answer: AD
AD correct
upvoted 1 times
  Dumisoph 7 months ago

A&D is Correct
upvoted 1 times

Added the script to a analytic rule and get "Account" and "Host" as only options.
upvoted 1 times

Selected Answer: AD
Thinking top AD also
upvoted 1 times
  Fishman22222 10 months, 1 week ago

Selected Answer: AD
A and D
upvoted 1 times
  Muffen 11 months, 1 week ago

Selected Answer: AD
IP is not returned in the query. We can see that the Account and Computer were mapped to entities and were returned in the 'summarize' section.
upvoted 2 times

Selected Answer: AD
You can group by user and computer
upvoted 1 times

Selected Answer: AD
Best answer
upvoted 1 times
  haykaybam 11 months, 3 weeks ago

Selected Answer: AD
Answer should be A and D. User and Host (computer)
upvoted 1 times
  Puneet30 12 months ago

Selected Answer: CD
https://azsec.azurewebsites.net/2020/02/24/alert-grouping-feature-in-azure-sentinel/
upvoted 3 times

Selected Answer: AD
AD for me.
upvoted 2 times
  josepedroche 1 year ago

Correct answer A & D: Tested query on Sentinel. Only we have the Account (user) and Host (computer) in "incident settings (preview) tab choosing
"grouping alerts into a single incident if the selected entity types and details match:
upvoted 3 times
  Gilli123 1 year ago

Which is the right answer to choose in exam ?
upvoted 1 times

Selected Answer: AD
IP is not listed in the commands..thus not available for this
upvoted 3 times
Question #8 Topic 3
Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure
AD) tenant.
Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log
Analytics workspace in each machine's respective subscription.
You deploy Azure Sentinel to a new Azure subscription.
You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.
A. Add the Security Events connector to the Azure Sentinel workspace.
B. Create a query that uses the workspace expression and the union operator.
C. Use the alias statement.
D. Create a query that uses the resource expression and the alias operator.
E. Add the Azure Sentinel solution to each workspace.
Correct Answer: BE
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

Correct - every sentinel deployment must have a workspace - and the union command is used to join multiple workspaces together.
upvoted 16 times
  Shared 2 months, 2 weeks ago

Well option E says to add Sentinel, which seems to be wrong as there can be 1 Sentinel/tenant and works across subscriptions:
https://github.com/MicrosoftDocs/azure-docs/issues/85443
https://techcommunity.microsoft.com/t5/microsoft-sentinel/azure-sentinel-instances-per-subscription/m-p/2278936
upvoted 1 times
  daba_fcb Most Recent  1 week, 2 days ago

Selected Answer: AB
I think it's A B,
A - security events connector is called "Security events via legacy agent" and it's Legacy version based on the Microsoft Monitor Agent / Log
Analytics" and the question states that windows events of the VM's are stored in a log analytics workspace. Reference:
https://jeffreyappel.nl/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr/
upvoted 2 times
  Martiemark 1 week, 4 days ago

Should the answer include a data connector if it is a new Sentinel?
upvoted 1 times
  Windy232 1 month, 4 weeks ago

Your company has an Azure subscription that hosts resources in multiple Azure regions in different countries.
What are two primary drawbacks of implementing single-tenant with regional workspaces Microsoft Sentinel in your environment as compared to
the single-tenant single workspace option? Each correct answer presents part of the solution.
Limited support for querying data across workspaces

Increased cost of network bandwidth
Lack of a single pane of glass
Increased cost of compute services
Increased deployment complexity
upvoted 1 times
  Windy232 1 month, 4 weeks ago

Which one should be chose?
Thanks all
upvoted 1 times
  Cho 1 week ago

I would choose increased cost and increased deployment complexity.
upvoted 1 times
  midaoui 2 weeks, 6 days ago
I would answer:
- Lack of a single pane of glass
- Increased deployment complexity
https://charbelnemnom.com/top-best-practices-for-deploying-azure-sentinel/
upvoted 1 times

Selected Answer: BE
let subscriptions = [subscription1, subscription2, ...];
union withsource=source
(
workspace("workspace1").SecurityEvent | where TimeGenerated >= ago(1d),
workspace("workspace2").SecurityEvent | where TimeGenerated >= ago(1d),
...
)
upvoted 1 times

Questions states, "All the subscriptions use the same Azure Active Directory (Azure AD) tenant" - from MS - Multiple Azure tenants Microsoft
Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary.
Therefore, each Azure AD tenant requires a separate workspace.
Since we are using the same AD the answer should be A and B.
Also it would be a pain to manage all these Sentinel instances.
https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
upvoted 3 times

Selected Answer: BE
Correct. LAs need sentinels and then query with union
upvoted 1 times

Selected Answer: BE
BE is correct
upvoted 1 times

CORRECT
upvoted 2 times
  Enjosi 9 months, 3 weeks ago

Agree. B and E are correct
upvoted 2 times
  Fishman22222 10 months, 1 week ago

Selected Answer: BE
B and E
upvoted 2 times
  timtim589 10 months, 2 weeks ago

Selected Answer: BE
Definitely B and E. To query logs across multiple workspaces, all workspaces should have a sentinel solution deployed on top of them and the
union workspace('WorkspaceName') should be used.
upvoted 1 times

Selected Answer: BE
Best options
upvoted 2 times
  jasonfmj 1 year, 6 months ago

To query data across workspaces, use the workspace() function before the table name.
Kusto
Copy
TableName
| union workspace("WorkspaceName").TableName
upvoted 4 times
  emmdekay 1 year, 8 months ago
Correct Answer
https://docs.microsoft.com/en-us/learn/modules/create-manage-azure-sentinel-workspaces/2-plan-for-azure-sentinel-workspace
upvoted 2 times
Question #9 Topic 3
You have an Azure Sentinel workspace.

You need to test a playbook manually in the Azure portal.
From where can you run the test in Azure Sentinel?
A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-a-playbook-on-demand

Manual triggering is available from the Azure Sentinel portal in the following blades:
In Incidents view, choose a specific incident, open its Alerts tab, and choose an alert.
In Investigation, choose a specific alert.
Click on View playbooks for the chosen alert. You will get a list of all playbooks that start with an When an Azure Sentinel Alert is triggered and that
you have access to.
Click on Run on the line of a specific playbook to trigger it.
Select the Runs tab to view a list of all the times any playbook has been run on this alert. It might take a few seconds for any just-completed run to
appear in this list.
Clicking on a specific run will open the full run log in Logic Apps.
upvoted 19 times
  teouba Most Recent  2 weeks, 2 days ago

Selected Answer: A
You can run the test in Azure Sentinel from the "Playbooks" blade.
upvoted 2 times
  palito1980 2 weeks, 3 days ago

Selected Answer: D
Clearly says to go to Incidents first.
https://learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC%2Cincidents#run-a-playbook-manually-on-an-alert
upvoted 1 times
  kushagrasharma172 2 months ago

Given answer is correct. Option D
upvoted 1 times
  subhuman 11 months, 2 weeks ago

Selected Answer: D
Answer is Correct
upvoted 1 times

Selected Answer: D
Best answer
upvoted 1 times

Selected Answer: D
Correct - see link provided.
upvoted 2 times
  sommy 1 year, 10 months ago

correct
upvoted 4 times
You have a custom analytics rule to detect threats in Azure Sentinel.

You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.
What is a possible cause of the issue?
A. There are connectivity issues between the data sources and Log Analytics.
B. The number of alerts exceeded 10,000 within two minutes.
C. The rule query takes too long to run and times out.
D. Permissions to one of the data sources of the rule query were modified.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

D - https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#issue-a-scheduled-rule-failed-to-execute-or-appears-with-
auto-disabled-added-to-the-name
upvoted 13 times
  subhuman Highly Voted  11 months, 2 weeks ago

Selected Answer: D
Correct answer is D
Permanent failure - rule auto-disable due to the following reasons
The target workspace (on which the rule query operated) has been deleted.
The target table (on which the rule query operated) has been deleted.
Microsoft Sentinel had been removed from the target workspace.
A function used by the rule query is no longer valid; it has been either modified or removed.
Permissions to one of the data sources of the rule query were changed.
One of the data sources of the rule query was deleted or disconnected.
upvoted 5 times
  stromnessian Most Recent  1 year ago

Selected Answer: D
D is correct.
upvoted 1 times

Correct answer - D. Permission change stopped rule from connecting.
upvoted 2 times
  Domza 1 year, 7 months ago

From the article:
Permanent failure - rule auto-disabled:
- Permissions to one of the data sources of the rule query were changed.
upvoted 3 times

D is the correct answer. This is a permanent failure. A and C are Transient failure
upvoted 1 times
  d_mandessi 1 year, 7 months ago

Other Exam, Transient failure: A and C
upvoted 2 times
  aokisan 1 year, 9 months ago

answer is C.
A rule query takes too long to run and times out.
upvoted 1 times
  antukin 1 year, 9 months ago

Answer is D.
A,C are "Transient failures" - "In a transient failure, Azure Sentinel continues trying to execute"
The question states "You discover that the analytics rule stopped running"
D is a "Permanent failure - rule auto-disabled" - "In consecutive permanent failures, Azure Sentinel stops trying to execute......"Adds the words
"AUTO DISABLED"
upvoted 13 times
Your company uses Azure Sentinel.

A new security analyst reports that she cannot assign and resolve incidents in Azure Sentinel.
You need to ensure that the analyst can assign and resolve incidents. The solution must use the principle of least privilege.
Which role should you assign to the analyst?
A. Azure Sentinel Responder
B. Logic App Contributor
C. Azure Sentinel Contributor
D. Azure Sentinel Reader
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles

Roles for working in Azure Sentinel
Azure Sentinel-specific roles
All Azure Sentinel built-in roles grant read access to the data in your Azure Sentinel workspace.
Azure Sentinel Reader can view data, incidents, workbooks, and other Azure Sentinel resources.
Azure Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.)
Azure Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Azure Sentinel Automation Contributor allows Azure Sentinel to add playbooks to automation rules. It is not meant for user accounts.
Correct answer is Azure Sentinel Responder.

upvoted 16 times
  subhuman Most Recent  11 months, 2 weeks ago

Selected Answer: A
Answer is correct.
Using the least privilege principle Microsoft Sentinel Responder is the best role to assign this user
upvoted 4 times

Selected Answer: A
IMHO the answer is A.
upvoted 1 times

correct
upvoted 1 times
  NoNameP 1 year, 5 months ago

Correct!
upvoted 1 times
You recently deployed Azure Sentinel.

You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled.
You need to ensure that the Fusion rule can generate alerts.
What should you do?
A. Disable, and then enable the rule.
B. Add data connectors
C. Create a new machine learning analytics rule.
D. Add a hunting bookmark.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

Correct - add data connectors to bring in source data for rules, notebooks, playbooks to query/take action against.
upvoted 11 times
  karlEzio Highly Voted  1 year, 4 months ago

The answer is Correct. By default, fusion is enabled. But to generate the alert, the data connectors must be configured.
upvoted 8 times
  amsioso Most Recent  5 months, 1 week ago

https://docs.microsoft.com/en-us/azure/sentinel/configure-fusion-rules
upvoted 1 times
  Mockento 6 months ago

Selected Answer: B
Best Option
upvoted 2 times
DRAG DROP -
Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
✑ Create and run playbooks
✑ Create workbooks and analytic rules.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than
once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Reference:
  ExamTopicsTST 1 week, 1 day ago

Answer is correct: https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-permissions-and-allowed-actions
upvoted 1 times

Given answers are (not) correct.
Only Logic App Contributor role is allowed to create and edit the play books as per the link below
https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-permissions-and-allowed-actions
The question is about the “Create and run playbooks”. Logic App contributor role is not sufficient to Run the play book. You need atleast “Microsoft
Sentinel Playbook Operator” to run the play book as per the below link.
https://learn.microsoft.com/en-us/azure/sentinel/roles#other-roles-and-permissions
upvoted 1 times
  herta 1 month ago

i think you are wrong based on this https://learn.microsoft.com/en-us/azure/sentinel/roles
logic app contributor can view and run playbooks
This table summarizes the Microsoft Sentinel roles and their allowed actions in Microsoft Sentinel.
upvoted 3 times

Answer is correct
https://learn.microsoft.com/en-us/azure/sentinel/roles#other-roles-and-permissions
upvoted 3 times

https://docs.microsoft.com/en-us/azure/sentinel/roles#other-roles-and-permissions
upvoted 1 times
  Fury 5 months, 3 weeks ago

Logic Apps Contributor - Attach playbooks to analytics and automation rules and run playbooks.
Note: This role also allows users to modify playbooks.
Logic apps contributor cannot be the right answer as it can't create playbooks.
Sentinel contributor for both.
upvoted 2 times

Playbook is nothing but Logic App ( so the ans is absolutely Correct )
upvoted 4 times

Correct!
upvoted 1 times

Correct - logic app contributor and sentinel contributor.
upvoted 4 times

correct
upvoted 1 times

Correct!
upvoted 1 times
A company uses Azure Sentinel.

You need to create an automated threat response.
A. a data connector
B. a playbook
C. a workbook
D. a Microsoft incident creation rule
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

Correct - Playbook
upvoted 6 times

Selected Answer: B
Use playbooks together with automation rules to automate your incident response and remediate security threats detected by Microsoft Sentinel
upvoted 1 times

correct
upvoted 3 times

Correct
upvoted 3 times
HOTSPOT -
You use Azure Sentinel to monitor irregular Azure activity.
You create custom analytics rules to detect threats as shown in the following exhibit.
You do NOT define any incident settings as part of the rule definition.

Hot Area:
Correct Answer:
Reference:

0,1
The first scenario will not generate any alerts, as each series by Caller generates a single result; there is only one caller, therefore 1 result, which is
below the threshold (results > 2).
In the second scenario, there will be 3 results (one for each caller), so one alert will be generated (as this is above the threshold and the results are
grouped into a single alert).
upvoted 26 times
  liberty123 11 months, 4 weeks ago

Thanks for the explanation, I agree with you
upvoted 1 times
  Muffen Highly Voted  11 months, 1 week ago

0,1
make-series is going to make lists of all the EventSubmissionTimestamp values for each user, with each user being on a separate row. This means
that if 1 user creates 3 machines, it will aggregate them all into 1 row. And if 3 users create 1 virtual machine we will see 3 separate rows.
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator#examples
upvoted 7 times
  Atun23 Most Recent  4 months, 1 week ago

I think answer should be 0 and 1.
The make-series operator creates a series of specified aggregated values along a specified axis. In this case the "Caller", this will make 3 rows, 1
row.
This will create a table that shows arrays of the ResourceID's of each query result from each "Caller" ordered by specified time range.
The rule specifies when the query returns 2 results in a 5 minute timespan, trigger the alert, in this case the first scenario would only trigger 1 row
on the results table as it uses "DCOUNT".
In the second scenario it will trigger 1 alert as the threshold is 2 results and group results on a single alert option is selected.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator
upvoted 2 times
I think the answer 1,1 is correct.
The alert will be based on 5 hours and it will only trigger when it is having 2 counts.
You will end up with 3 counts of computers been created through a single deployment, regardless this should be visible under the 5 hours log.
upvoted 3 times

I would say if all 3 individual users created a VM within 5 minutes of each other i.e. 3 VM's created within the 5 minute window, then an alert would
be triggered/generated.
Correct answer would then be 1 and 1 alert.
upvoted 4 times

I wonder if 2nd answer should be 0. Please correct me with appropriate justification. Thanks.
upvoted 4 times

Agreed - see above.
upvoted 1 times

@Eltooth you agree but in your comments it reads "1 and 1" not "1 and 0"? I mean WT..?
upvoted 1 times

Ah... now I see... clarity came upon me :-)
upvoted 1 times

So which ones?
upvoted 2 times

but query looks on data for the last 5 hours,
upvoted 2 times
You have an Azure Sentinel deployment in the East US Azure region.

You create a Log Analytics workspace named LogsWest in the West US Azure region.
You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to
LogsWest.
A. Deploy Azure Data Catalog to the West US Azure region.
B. Modify the workspace settings of the existing Azure Sentinel deployment.
C. Add Azure Sentinel to a workspace.
D. Create a data connector in Azure Sentinel.
Correct Answer: C
Reference:

Correct answer - C.
Cross-workspace queries can now be included in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across
tenants (using Azure Lighthouse) as in the case of an MSSP, subject to the following limitations:
* Up to 20 workspaces can be included in a single query.

* Azure Sentinel must be deployed on every workspace referenced in the query.
* Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist only in the workspace where the rule was
defined. They will not be displayed in any of the other workspaces referenced in the query.
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-workspace-workbooks
upvoted 12 times

Selected Answer: C
I'm going for C here.
upvoted 3 times
You create a custom analytics rule to detect threats in Azure Sentinel.

You discover that the rule fails intermittently.
What are two possible causes of the failures? Each correct answer presents part of the solution.
A. The rule query takes too long to run and times out.
B. The target workspace was deleted.
C. Permissions to the data sources of the rule query were modified.
D. There are connectivity issues between the data sources and Log Analytics
Correct Answer: AD
Incorrect Answers:
B: This would cause it to fail every time, not just intermittently.
C: This would cause it to fail every time, not just intermittently.

Correct - A & D.
upvoted 8 times
  makovec25 Most Recent  6 months, 3 weeks ago

Selected Answer: AD
intermittently is a key word here, so A and D is correct
upvoted 4 times

Selected Answer: AD
Looks right to me.
upvoted 4 times

Selected Answer: AD
Agree AD
upvoted 2 times
  Soldier 1 year, 1 month ago

Correct. A and D are transient failures. B and C are permanent.
upvoted 4 times

Reference: https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom#troubleshooting
upvoted 1 times

correct
upvoted 1 times
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a scheduled query rule for a data connector.
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

You can create scheduled rules from Data connector pages (Next steps tab). But the bottom line is whoever wrote this question should be fired on
the spot.
upvoted 14 times
  amsioso Most Recent  5 months, 1 week ago

NO
After connecting your data sources to Microsoft Sentinel, create custom analytics rules to help discover threats and anomalous behaviors in your
environment.
Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are
reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
upvoted 1 times

I dunno... You can create alerts from scheduled queries. You can the create incidents from alerts. Question doesn't suggest you cant. Pretty sure (in
preview) you can now create incidents based on this alone.
upvoted 2 times

"You create a scheduled query rule for a data connector."
Looks weird. We can't create scheduled query for data connectors. But we can analyze some tables and raise incident.
upvoted 2 times
  arunkum 1 year, 4 months ago

Why is it No
Scheduled query rules are custom analytics rules to generate alerts on specific logic
upvoted 1 times

Because maybe for a threat detection the NRT (near real time) rule is better ? No 100% sur sorry
https://docs.microsoft.com/en-US/azure/sentinel/near-real-time-rules
upvoted 1 times

Correct - No
upvoted 1 times
Solution: You create a hunting bookmark.
A. Yes
B. No
Correct Answer: B
Reference:

Selected Answer: B
B. NO.
Hunting Bookmarks:
https://learn.microsoft.com/en-us/azure/sentinel/bookmarks
upvoted 1 times

Correct - No.
upvoted 1 times
Solution: You create a Microsoft incident creation rule for a data connector.
A. Yes
B. No
Correct Answer: A
Reference:
  eddz25 1 month ago

No
Creating a Microsoft incident creation rule for a data connector will not meet the goal of creating an incident in Azure Sentinel when a sign-in to an
Azure virtual machine from a malicious IP address is detected.
An incident creation rule is used to create incidents in Azure Sentinel based on specific criteria, such as when a certain number of alerts are
triggered within a certain timeframe. While an incident creation rule can be used in conjunction with data connectors to analyze data from other
sources, it does not directly detect sign-ins from malicious IP addresses.
To detect sign-ins from malicious IP addresses, you would need to create an analytics rule that looks for specific signs of a malicious IP address,
such as a high number of failed login attempts or login attempts from a known malicious IP. Once the rule detects a sign-in from a malicious IP, it
can trigger an alert, which can then be used to create an incident in Azure Sentinel.
upvoted 1 times

Selected Answer: A
YES.
https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#configure-the-incident-creation-settings
upvoted 2 times

YES
https://docs.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-security-center-auto-connect-to-sentinel/ba-p/1387539
upvoted 1 times

Correct - yes.
upvoted 2 times
  DigitalNomad 1 year, 3 months ago

I think this is the correct answer , as this kind of alert is generated by ASC , so we need the Microsoft incident creation rule to create incidents from
ASC into sentinel. see https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
upvoted 3 times
You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the
activity as a time chart aggregated by day.
You need to create a query that will be used to display the time chart.
What should you include in the query?
A. extend
B. bin
C. makeset
D. workspace
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries
  werbinich Highly Voted  1 year, 5 months ago

Grouping results can also be based on a time column, or another continuous value. Simply summarizing by TimeGenerated, though, would create
groups for every single millisecond over the time range, because these are unique values.
To create groups that are based on continuous values, it's best to break the range into manageable units by using bin.
Thus correct answer.

upvoted 13 times

Selected Answer: B
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries#summarize-by-a-time-column
upvoted 1 times

Selected Answer: B
B for bin. Simples.
upvoted 2 times

Correct - bin.
upvoted 2 times
  tk3 1 year, 6 months ago

correct
upvoted 2 times

Correct Answer
upvoted 4 times

You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
A. Add a playbook.
B. Associate a playbook to an incident.
C. Enable Entity behavior analytics.
D. Create a workbook.
E. Enable the Fusion rule.
Correct Answer: AB
Reference:

Playbooks are collections of procedures that can be run from Azure Sentinel in response to an alert or incident. A playbook can help automate and
orchestrate your response, and can be set to run automatically when specific alerts or incidents are generated, by being attached to an analytics
rule or an automation rule, respectively. It can also be run manually on-demand.
Playbooks in Azure Sentinel are based on workflows built in Azure Logic Apps, which means that you get all the power, customizability, and built-in
templates of Logic Apps.
Thus correct answer

upvoted 20 times

keep up the good stuff @werbinich. Hope you crack the certification soon. All the best.
upvoted 3 times
  aman1782 8 months, 3 weeks ago

Correct A&B
upvoted 1 times
  eddz25 Most Recent  1 month ago

Selected Answer: AB
A. Add a playbook
B. Associate a playbook to an incident
To send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected in Azure Sentinel, you will need to
perform two actions:
Add a playbook: A playbook is a set of actions that can be triggered in response to an incident, such as sending a message to a channel in
Microsoft Teams. To add a playbook, you will need to navigate to the Playbooks tab in Azure Sentinel and create a new playbook that includes an
action to send a message to a Microsoft Teams channel.
Associate a playbook to an incident: After creating the playbook, you will need to associate it with an incident in Azure Sentinel. This can be done
by navigating to the Incidents tab in Azure Sentinel and selecting the incident that you want to associate the playbook with. Then, select the
"Associate Playbook" button and select the playbook that you created.
upvoted 1 times

Selected Answer: AB
Correct answer A&B
upvoted 1 times

Selected Answer: AB
AB IMHO.
upvoted 2 times

Selected Answer: AB
A & B is correct
upvoted 1 times
For me B is a wrong choice. We can NOT associate a playbook to an incident! We can:
- trigger playbook when incident happens
- associate playbook to an ANALYTIC RULE
Fusion rule is important to catch Multistage attacks not suspicious sign-in.
So A - ok
B - weird.
upvoted 3 times

Correct - A & B
upvoted 3 times
  tk3 1 year, 6 months ago

i agree with the answer
upvoted 1 times

Correct
upvoted 2 times
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
A. notebooks in Azure Sentinel
B. Microsoft Cloud App Security
C. Azure Monitor
D. hunting queries in Azure Sentinel
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebooks

The Azure portal and all Azure Sentinel tools use a common API to access this data store.
The same API is also available for external tools such as Jupyter notebooks and Python. While many common tasks can be carried out in the portal,
Jupyter extends the scope of what you can do with this data. It combines full programmability with a huge collection of libraries for machine
learning, visualization, and data analysis. These attributes make Jupyter a compelling tool for security investigation and hunting.
Thus Correct Answer.

upvoted 31 times
  Soldier 1 year, 1 month ago

Great explanation @werbinich
upvoted 1 times

Selected Answer: A
A. notebooks in Azure Sentinel
To visualize Azure Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC), you can use notebooks in
Azure Sentinel.
Notebooks in Azure Sentinel are interactive documents that allow you to run queries, create visualizations, and perform data analysis on your Azure
Sentinel data. They also allow you to connect to other data sources, such as third-party threat intelligence feeds, to enrich the data and identify
indicators of compromise (IoCs).
Once you have connected to the third-party data source, you can use Azure Sentinel notebook to blend the data, and create visualizations, and
perform data analysis to identify the potential attack.
upvoted 1 times
  vnez 6 months ago

Selected Answer: A
Correct answer
upvoted 2 times

A - correct Answer.
upvoted 4 times

Correct answer
upvoted 3 times
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security
Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?
A. extend
B. bin
C. count
D. workspace
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations

Sample query :
requests
| summarize Requests = count() by Result = strcat('Http ', resultCode)
| order by Requests desc
The query returns two columns: Requests metric and Result category. Each value of the Result column will get its own bar in the chart with height
proportional to the Requests metric.
Thus correct answer.

upvoted 12 times
  Fcnet Most Recent  3 weeks, 4 days ago

https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations
upvoted 1 times

Correct - C
upvoted 3 times
  Silent_Muzinde 1 year, 8 months ago

C is correct yes. Either summarize count() or count() should be used
https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-workbooks-101-with-sample-workbook/ba-p/1409216
upvoted 4 times
You use Azure Sentinel.

You need to receive an alert in near real-time whenever Azure Storage account keys are enumerated.
A. Create a livestream
B. Add a data connector
C. Create an analytics rule
D. Create a hunting query.
E. Create a bookmark.
Correct Answer: BD
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/livestream

Selected Answer: AD
Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions
when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.
upvoted 9 times
  Menard001 7 months, 2 weeks ago

livestream will not work if there's no data connector?
upvoted 3 times

Selected Answer: AB
The correct answer should be A&B. B because you have to connect the "Azure Storage Account" and make sure the diagnostic settings are set to
send activities about the key enumerations to Sentinel workspace. I see people in discussion debates ignore the importance of checking the data
connector and jump into the discussion about whether the solution should be X or Y. Please check the data connector if the question doesn't say
or indicate it is set correctly.
Then whether it is Hunting query or Livestream. Near real-time is the keyword here and the answer reveales a reference link to Livestream, not to
hunting. With Livestream, any matching results will generate "Azure Alerts" which are shown at the Notification bell. So the correct answer is A not
D.
upvoted 5 times

Minor Correction: B because you have to connect the "Azure Key Vault" data connector....
upvoted 3 times
  Nailik_Ms Most Recent  2 weeks, 1 day ago

Selected Answer: AD
Sentinel needs data connectors to get data from other Azure Resources, so Add a data connector would make sense, but i think they would have
said "you just deployed sentinel to your organization" then Adding a data connector would make sense. Here they point that you already use Azure
Sentinel therefore i think the direct way to answer the question creating first the hunting query, and then use it on a livestream. (btw i've readed an
answer where it's said livestream don't create alerts, and it's wrong) info here: Elevate a livestream session to an alert
You can promote a livestream session to a new alert by selecting Elevate to alert from the command bar on the relevant livestream session:
https://learn.microsoft.com/en-us/azure/sentinel/livestream
upvoted 2 times
  ACSC 3 weeks, 2 days ago

Selected Answer: AD
https://charbelnemnom.com/monitor-azure-storage-account-activity-log-with-azure-sentinel/
upvoted 1 times

Selected Answer: AB
Livestreams allow you to have alerts in near real time.
To create that livestream you require a query, but in order for that query to have the results required, you need the data connector enabled
upvoted 1 times
Selected Answer: AB
B Make sure the data connector is set.
A Create a Livestream for Azure storage key enumeration (NO custom alert/hunting query or bookmark needed).
https://learn.microsoft.com/en-us/azure/sentinel/livestream#create-a-livestream-session
upvoted 4 times

For clarity. no CUSTOM hunting query needed. The "Azure storage key enumeration" is a default provided by Microsoft.
upvoted 3 times

Agree with Meta - AB correct answer - checked in Sentinel, default query "Azure storage key enumeration"
upvoted 2 times
  Mriji 4 months, 3 weeks ago

The requirement says "You need to receive an alert in near real-time", making livestream the better option here. A and D are the answer.
upvoted 1 times

Selected Answer: AD
A+D
Create hunting query and enable live stream.
upvoted 1 times

B, D
First you need a data connector.
For create a livestream session you need also first to start from a query or you have to create it before select "save" (livestream).
In order: B, D, A
https://docs.microsoft.com/en-us/azure/sentinel/livestream#elevate-a-livestream-session-to-an-alert
https://docs.microsoft.com/en-us/azure/sentinel/livestream#create-a-livestream-session
upvoted 2 times
  Stiobhan 6 months ago

Answer is defo A&D, it's even there in the link they provided, plain as day but they still show the wrong selection......OMG!!!! I am paying for this
stuff, must be off my head 👀 Someone needs to start remediating some of these wrong answers and start providing proper, tangible
explanations!
upvoted 4 times

In livestream you can elevate to an alert... https://docs.microsoft.com/en-us/azure/sentinel/livestream.. But again, another setinal question where
you can choose to assume the data connector exists or not. The answer changes on that assumption.
upvoted 1 times

B&D is correct.... Livestream is for you to receive real time portal notification; the question says "you need to receive an alert"
upvoted 2 times
  5lic3 7 months ago

Selected Answer: AD
Should be A D
upvoted 1 times
  damithsn 7 months, 3 weeks ago

It says "You need to receive an alert". I do not think livestream can create alerts. This can be an NRT rule.
upvoted 2 times
  Nishok 9 months, 2 weeks ago

Selected Answer: AD
A&D the correct answer
upvoted 2 times
  Osamat98 10 months ago

Should be A&D
upvoted 4 times
HOTSPOT -
You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The solution must minimize
administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog

Correct answer. Office365 & Syslog.
upvoted 14 times

Correct answer. Office365 & Syslog.
upvoted 1 times

Correct answers.
upvoted 3 times
  CaracasCCS1 1 year, 4 months ago

Syslog like an less administrative effort? I dont think so...
For me is:
- Office 365
- Security Events
upvoted 1 times

I see that Security Events its just for Windows Machine, so for Linux you need Syslog.... so the answer is right
upvoted 14 times
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
A. Create a Microsoft incident creation rule
B. Share the incident URL
C. Create a scheduled query rule
D. Assign the incident
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases

Correct - D
upvoted 5 times

Selected Answer: D
https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases#how-to-investigate-incidents
upvoted 1 times

You should also let him know and share URL
upvoted 1 times

D
Incidents can be assigned to a specific user or to a group. For each incident you can assign an owner, by setting the Owner field. All incidents start
as unassigned. You can also add comments so that other analysts will be able to understand what you investigated and what your concerns are
around the incident.
upvoted 2 times
  Kamal_SriLanka 7 months, 3 weeks ago

D is correct
upvoted 1 times

You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
A. Enable Entity behavior analytics.
B. Associate a playbook to the analytics rule that triggered the incident.
C. Enable the Fusion rule.
D. Add a playbook.
E. Create a workbook.
Correct Answer: AB
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics https://docs.microsoft.com/en-us/azure/sentinel/automate-
responses-with-playbooks

I would say B & D as you need the playbook to be created first then associated.
upvoted 24 times

I echo
upvoted 2 times

I'm leaning towards the same answer as you, since it was my first reaction.
upvoted 2 times
  Python46 Highly Voted  11 months, 1 week ago

Hi all, I did the exam yesterday and this came up, I selected B&D and scored 925
upvoted 14 times
  Martiemark Most Recent  2 weeks, 5 days ago

So the playbook was already created?
You can associate if there is no playbook. I would have to pick B&D.
upvoted 1 times

Selected Answer: B
To send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel, you will need
to perform two actions:
Add a playbook: A playbook is a set of actions that can be triggered in response to an incident, such as sending a message to a channel in
Microsoft Teams. To add a playbook, you will need to navigate to the Playbooks tab in Azure Sentinel and create a new playbook that includes an
action to send a message to a Microsoft Teams channel.
Associate a playbook to the analytics rule that triggered the incident: After creating the playbook, you will need to associate it with the analytics
rule that triggered the incident. This can be done by navigating to the Analytics tab in Azure Sentinel, select the analytics rule that you want to
associate the playbook with, and then selecting the "Associate Playbook" button and selecting the playbook that you created.
upvoted 1 times

I think there is similar question but it was incident access from suspicious iPaddress and for that no need to enable entity behaviour hence the
steps were Associate Playbook and Add playbook but for this issue is related to sign-in risk event which needed signin logs data source which has
to enabled first, hence the answers changed to A and B
upvoted 1 times

Selected Answer: BD
Answer is
D Add a playbook
B Associate a playbook to the analytics rule that triggered the incident.
UEBA also requires data sources from Azure and/or Thirdparty and will be able to help analyze and investigate an incident. This is not relevant to
the question. So we have to assume data connectors are in place.
upvoted 6 times
Selected Answer: BD
B+D is the right way
upvoted 1 times

Surely would be easier to connect Identity Protection to Sentinel than use the UEBA stuff... Which seems more for intelligent insider risk (i think -
never used EUBA). I'd go B and D.
upvoted 2 times
  Kamal_SriLanka 7 months, 3 weeks ago

Answer is B and D
upvoted 1 times

Selected Answer: AB
Correct answers A&B. You can't assume you have the data source needed to capture risky sign-ins. You should check whether you have the
required data source on First then worry about how to do the rest. So answer A is required. Now that you are left with only one remaining correct
answer. D on its on doesn't provide a complete solution (having a playbook on its own is not enough). Hence answer B provides a complete
solution.
upvoted 1 times

I take it back. Correct answers should be A & D. See Question #22 previously had the same options and the correct answers where "Add a
playbook" then "Associate a playbook to an incident"
upvoted 2 times

Selected Answer: BD
BD aswell
upvoted 1 times
  homeysl 10 months, 1 week ago

Selected Answer: BD
should be BD
upvoted 1 times
  RckStdy 11 months, 2 weeks ago

Selected Answer: AB
A, Risky sign in has to do with Entity behavior analytics. B, agree with everyone else
upvoted 3 times

It seems like answer A is related to the fact that it is "an incident representing a sign-in risk event" and sign in risks are in the category of Entity
Behavior. Not sure, but that is only thing I can find to make answer A make sense.
upvoted 2 times

The scenario in the link about playbooks goes along with answer B. Orchestration
Use the SOC chat platform to better control the incidents queue.
For example:
A Microsoft Sentinel incident was created from an alert by an analytics rule that generates username and IP address entities.
The incident triggers an automation rule which runs a playbook with the following steps:
Start when a new Microsoft Sentinel incident is created.
Send a message to your security operations channel in Microsoft Teams or Slack to make sure your security analysts are aware of the incident.
Send all the information in the alert by email to your senior network admin and security admin. The email message will include Block and Ignore
user option buttons.
Wait until a response is received from the admins, then continue to run.
If the admins have chosen Block, send a command to the firewall to block the IP address in the alert, and another to Azure AD to disable the user.
upvoted 1 times
  Volent 11 months, 3 weeks ago

Selected Answer: BD
I echo
B& D
upvoted 1 times
Selected Answer: BD
Agree with BD
upvoted 1 times
DRAG DROP -
You need to use an Azure Sentinel analytics rule to search for specific criteria in Amazon Web Services (AWS) logs and to generate incidents.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom

Simple but correct
upvoted 2 times
  pedromonteirozikado 11 months, 2 weeks ago

Scheduled Queries don't create incidents...
upvoted 2 times
  SubQue 11 months, 2 weeks ago

Actually, they do create. There is an option called "Create incidents from this query" which you can enable or disable it.
upvoted 9 times
  pedromonteirozikado 11 months, 1 week ago

You're Right. , Create incidents from alerts triggered by this analytics rule is set by default to Enabled. The another option of analytics rules
called "Create incident rule" is to create incidents based on alerts generated by others security products like Defender.
Thanks!
upvoted 3 times

Looks right I'd say.
upvoted 1 times
  swgu 1 year, 1 month ago

Answer is correct
upvoted 1 times
You have the following environment:
Azure Sentinel -
✑ A Microsoft 365 subscription

✑ Microsoft Defender for Identity
✑ An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active Directory.
A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.
B. Modify the permissions of the Domain Controllers organizational unit (OU).
C. Configure auditing in the Microsoft 365 compliance center.
D. Configure Windows Event Forwarding on the domain controllers.
Correct Answer: AD
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection https://docs.microsoft.com/en-us/defender-for-
identity/configure-event-collection

Correct - A & D
upvoted 12 times
  SuperGraham Most Recent  2 months ago

Selected Answer: AD
A & D are the correct anwsers
upvoted 1 times

Answer is correct.- Simple!
upvoted 1 times

Selected Answer: AD
Answer is correct.
A: Configure the Advanced Audit Policy Configuration settings for the domain controllers
For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy
settings.
https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection
D: Configure Windows Event Forwarding on the domain controllers.
To enhance detection capabilities, Defender for Identity needs the Windows events listed in Configure event collection. These can either be read
automatically by the Defender for Identity sensor or in case the Defender for Identity sensor is not deployed, it can be forwarded to the Defender
for Identity standalone sensor in one of two ways, by configuring the Defender for Identity standalone sensor to listen for SIEM events or by
configuring Windows Event Forwarding.
https://learn.microsoft.com/en-us/defender-for-identity/configure-event-forwarding
upvoted 4 times

correct A,D
upvoted 1 times
You use Azure Sentinel.

You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution
must use the principle of least privilege.
Which role should you assign to the analyst?
A. Azure Sentinel Contributor
B. Security Administrator
C. Azure Sentinel Responder
D. Logic App Contributor
Correct Answer: A
Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Reference:

Correct - A
upvoted 7 times

Selected Answer: A
Looks good.
upvoted 5 times
You create a hunting query in Azure Sentinel.

You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize
effort.
A. a playbook
B. a notebook
C. a livestream
D. a bookmark
Correct Answer: C
Use livestream to run a specific query constantly, presenting results as they come in.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/hunting
  LiamNg Highly Voted  1 year, 4 months ago

Because livestream notifications for new events use Azure portal notifications, you see these notifications whenever you use the Azure portal.
Ref https://docs.microsoft.com/en-us/azure/sentinel/livestream#receive-notifications-when-new-events-occur
upvoted 13 times

Selected Answer: C
Aye, C.
upvoted 3 times

Selected Answer: C
Livestream
upvoted 2 times

Correct.
upvoted 3 times

Correct - C. Livestream
upvoted 4 times
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant
named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office
365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft
Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
A. Create custom rule based on the Office 365 connector templates.
B. Create a Microsoft incident creation rule based on Azure Security Center.
C. Create a Microsoft Cloud App Security connector.
D. Create an Azure AD Identity Protection connector.
Correct Answer: AB
  arunkum Highly Voted  1 year, 4 months ago

Answer should be A & D
Azure security center is not in the equation at all
Any comments ?
upvoted 17 times
  Discuss4certi 1 year, 4 months ago

I follow A and D. ASC indeed shouldnt be in the equation when you are already using sentinel. D for the logon events and A for the o365
activity
upvoted 8 times

You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office
365 connector for the Microsoft 365 subscription.
upvoted 1 times

There's a connector already so why D?
upvoted 1 times
  vincenttoolate 7 months, 2 weeks ago

The 2 connectors mentioned at the questions are not enough. CD
upvoted 2 times

You will ad another connector?
upvoted 1 times
  Contactfornitish Highly Voted  11 months, 4 weeks ago

Selected Answer: AD
Thinking logically, there question gives no mention of MCAS and there are only two connectors active, AD (not identity protection) and O365. AD
connector can give only what happened not what's suspicious, so you would need Azure AD Identity protection connector for that so D is certain.
C is a no go as there is no log upload etc setup nor we talking about custom or third party apps or Shadow IT of any kind.
B should not be the case as we are talking about identity compromise and then actions followed in O365, not on-prem so Azure Security center is
out. Question is not talking about Incident generation either but fusion rule.
Coming to A, there are samples of analytics rules about Log4J activities and other type of suspicious patterns, but there is nothing sort of specific
about covering everything, so nothing is there built-in but all logs are there to capture any kind of activities in O365 and their pattern, so a custom
rule makes sense which would need to cover relevant scenarios
My pick would be A & D

upvoted 9 times

But the Question mention Anomalies.
upvoted 1 times

Selected Answer: AD
A. Create custom rule based on the Office 365 connector templates.
To use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365
activity, you will need to perform two actions:
Create custom rule based on the Office 365 connector templates: By creating a custom rule based on the Office 365 connector templates, you can
monitor Office 365 activity for suspicious behavior, such as anomalous login attempts, or unusual activity from a specific IP address.
Create an Azure AD Identity Protection connector: Azure AD Identity Protection is a security solution that provides visibility, control, and protection
for Azure AD identities. By creating an Azure AD Identity Protection connector, you can monitor Azure AD activity for suspicious behavior, such as
suspicious sign-ins, or unusual activity from a specific IP address.
upvoted 1 times

Selected Answer: CD
the correct answers are:

C. Create a Microsoft Cloud App Security connector
upvoted 2 times

Selected Answer: CD
Create an Azure AD Identity Protection connector: You can use the Azure AD Identity Protection connector to import data from Azure AD Identity
Protection and use it in your Azure Sentinel workspace. This will allow you to detect suspicious sign-ins to contoso.com and use this data in your
Fusion rule.
Create a Microsoft Cloud App Security connector: You can use the Microsoft Cloud App Security connector to import data from Microsoft Cloud
App Security and use it in your Azure Sentinel workspace. This will allow you to detect anomalous Microsoft Office 365 activity and use this data in
your Fusion rule.
upvoted 2 times

Selected Answer: CD
If you have created and enabled these scheduled analytics rules in your Sentinel workspace, Fusion can detect 32 new scenarios by combining
alerts from the scheduled analytics rules that detects specific events or sets of events across your environment, with alerts from Microsoft Cloud
App Security or Azure Active Directory Identity Protection.
upvoted 1 times

C, D
Fusion Rule needs signals from Azure AD Identity Protection connector and from Microsoft Cloud App Security connector to generate the alerts.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-fusion-advanced-multistage-attack-detection-scenarios/ba-
p/2337497
upvoted 1 times

Sorry... By default they are already all included (signals from)
https://docs.microsoft.com/en-US/Azure/sentinel/configure-fusion-rules
So you only have to create your own rule from (editing, modifying) a rule template ("There are rule templates to create incidents in Azure
Sentinel based on alerts from Azure Security Center, Office 365 Advanced Threat Protection (Preview) and Microsoft Defender Advanced Threat
Protection.")
https://techcommunity.microsoft.com/t5/itops-talk-blog/azure-sentinel-using-rule-templates/ba-p/2028427
upvoted 2 times

So A, B
upvoted 1 times

Selected Answer: AB
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365
connector for the Microsoft 365 subscription.
-You don't need to add another connector because the connector already set up.
so C and D is not the correct answer.
upvoted 1 times

Selected Answer: AD
Correct answer A & D. MCAS and Azure Security Center (now called Defender for Cloud) are not mentioned in the question, so not relevant.
upvoted 2 times
  Dris2021 8 months, 2 weeks ago

Correct answer A & D
upvoted 2 times

Somehow I agree with A B.
Fusion would have everything enabled, the task is to set the detection for anomalous activity. One connector the Azure defender for the cloud is
enough would cover all.
upvoted 1 times
  Davidf 10 months, 1 week ago

Selected Answer: CD
Another one for CD, the fusion rule is creating the alerts, but it needs all the data it can get its hands on to do so reliably
upvoted 2 times
  Davidf 10 months, 2 weeks ago

Selected Answer: CD
As per comments about, the guide recommends enabling extra connectors To enable these detections, we recommend you configure the following
data connectors for best results:
Out-of-the-box anomaly detections

Azure Active Directory Identity Protection
Azure Defender
Azure Defender for IoT
Microsoft 365 Defender
Microsoft Cloud App Security
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Office 365
Palo Alto Networks
upvoted 2 times

Selected Answer: AD
MCAS is not mentioned in the question
upvoted 2 times
  certificacionsc200 10 months, 3 weeks ago

Is it correct A & D?? Can you confirm??
upvoted 1 times
  Neela 11 months ago

answer is correct, keyword detect
connectors are already created
upvoted 1 times

Anomalous activity came from the MCAS, and the Suspicious Sign-ins from Azure AD Identity Protection. So C,D is correct
upvoted 3 times
Solution: You create a livestream from a query.
A. Yes
B. No
Correct Answer: B
Reference:

No,
You create a Microsoft incident creation rule for a data connector.
upvoted 13 times
HOTSPOT -
You need to create a query for a workbook. The query must meet the following requirements:
✑ List all incidents by incident number.
✑ Only include the most recent log for each incident.
Hot Area:
Correct Answer:
Reference:
https://www.drware.com/whats-new-soc-operational-metrics-now-available-in-sentinel/

If you wanted to return a list of all incidents sorted by their incident number but only wanted to return the most recent log per incident, you could
do this using the arg_max KQL operator*:
List incidents by incident number
SecurityIncident
| summarize arg_max(LastModifiedTime, *) by IncidentNumber
upvoted 7 times
  Nickname01 4 months ago

tested, answer is correct
upvoted 3 times
  PhoenixSlasher Most Recent  6 days ago

Answer correct, tested.
upvoted 1 times
DRAG DROP -
You have the resources shown in the following table.
You need to prevent duplicate events from occurring in SW1.

What should you use for each action? To answer, drag the appropriate resources to the correct actions. Each resource may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
  Metasploit Highly Voted  3 months, 3 weeks ago

Server 1 and Server 1
Using the same machine to forward both plain Syslog and CEF messages.
1) Server 1 Change to stop the Plain Syslog from also sending CEF logs to the forwarder:
2) Server 1 Change to disable the Log Analytics Agent from syncing with Microsoft Sentinel's Syslog configuration so that changes made in step 1
do not get overwritten.
SW1 receives the data only from CEF1, CEF1 needs to send data collected in CEF message from Server1 and Plain Syslog from Server2. Seeing that
Server 2 is configured to send plain syslog to CEF1, there is no log analytics agent on this server to duplicate data. Everything is happening on
Server1.
Big purple Note box, ctrl+f, search for "duplication of events".

https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
upvoted 7 times

Looking at the documentation I agree.
upvoted 3 times
  sukhdeep Most Recent  1 month, 1 week ago

Server1 and CEF1 is right answer.
upvoted 1 times

This should be server 1 and 2? I think I dont understando the real meaning.
Using the same machine to forward both plain Syslog and CEF messages
If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the
Syslog and CommonSecurityLog tables:
a. On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that
are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent
for detailed instructions on how to do this.
b. You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Microsoft
Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
upvoted 1 times

Correct
Server1, CEF1
upvoted 1 times
  hanyahmed 5 months, 3 weeks ago

correct answer is Server1 and CEF1
for server1 :
If you plan to use this log forwarder machine to forward Syslog messages as CEF, then to avoid the duplication of events to the Syslog and
CommonSecurityLog tables:
On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities used to
send CEF messages.
For CEF1:
Install the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes:
• Listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
Configures the built-in Linux Syslog daemon for the following purposes:
• Listening for Syslog messages from your security solutions on TCP port 514
• Forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226
From <https://docs.microsoft.com/en-us/learn/modules/connect-common-event-format-logs-to-azure-sentinel/3-connect-your-external-solution-
use-common-event-format-connector
upvoted 1 times
  prjreddit 6 months, 4 weeks ago

- Server1 change - On each source machine that sends logs to the forwarder in CEF format (SERVER1), you must edit the Syslog configuration file
to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog.
- Server1 change - You must run the following command on those machines (the ones you ran it previously, i.e SERVER1) to disable the
synchronization of the agent with the Syslog configuration in Microsoft Sentinel. This ensures that the configuration change you made in the
previous step does not get overwritten
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script
upvoted 4 times

after reading the note on https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script i
think you are correct: Server 1 and Server 1
upvoted 2 times
  CarisB 6 months, 4 weeks ago

Server 1 & Server 1 :
From the note at https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script :
Using the same machine to forward both plain Syslog and CEF messages
If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the
Syslog and CommonSecurityLog tables:
**On each source machine that sends logs to the forwarder in CEF format**, you must edit the Syslog configuration file to remove the facilities that
are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent
for detailed instructions on how to do this.
You must run the following command **on those machines** to disable the synchronization of the agent with the Syslog configuration in Microsoft
Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
upvoted 4 times
  youl_cla 8 months ago
Server 2 & Server 2
cf: the purple note on the documentation provided: https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
upvoted 1 times

No, the purple state you should disable the source that sends CEF, so Server1 and then SW1
upvoted 1 times
You have an Azure subscription that uses Microsoft Sentinel.

You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft
Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
A. Microsoft Sentinel bookmarks
B. Azure Automation runbooks
C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks
E. Azure Functions apps
Correct Answer: CD
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC

C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks
Microsoft Sentinel's Automation rules can be used to automatically trigger actions or playbooks in response to detected security incidents. This
reduces the need for manual intervention and minimizes administrative effort.
Playbooks in Microsoft Sentinel can be used to automate incident response tasks and remediation steps, such as quarantining an affected machine
or disabling a compromised account. This allows you to quickly and consistently take action on security incidents, further reducing administrative
effort.
upvoted 3 times

Selected Answer: CD
Use playbooks together with automation rules to automate your incident response and remediate security threats detected by Microsoft Sentinel
upvoted 2 times
  coringlax 4 months ago

Correct!
Automation rules help you triage incidents in Microsoft Sentinel. You can use them to automatically assign incidents to the right personnel, close
noisy incidents or known false positives, change their severity, and add tags. They are also the mechanism by which you can run playbooks in
response to incidents.
upvoted 3 times
  PatWafy 4 months ago

réponse : CD
upvoted 1 times
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a
dashboard. The solution must minimize development effort.
What should you use to create the visuals?
A. plotly
B. TensorFlow
C. msticpy
D. matplotlib
Correct Answer: C
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: query log data from multiple
sources. enrich the data with Threat Intelligence, geolocations and Azure resource data. extract Indicators of Activity (IoA) from logs and
unpack encoded data.
MSTICPy reduces the amount of code that customers need to write for Microsoft Sentinel, and provides:
Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint, Splunk, and other data sources.
Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.
Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction, and WhoIs lookups.
Visualization tools using event timelines, process trees, and geo mapping.
Advanced analyses, such as time series decomposition, anomaly detection, and clustering.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebook-get-started https://msticpy.readthedocs.io/en/latest/

C. msticpy
msticpy is a Python library that can be used to quickly and easily create visuals in Jupyter notebooks for Microsoft Sentinel. It has built-in support
for Kusto queries, making it easy to retrieve and visualize the results of custom queries you've created in your Sentinel workspace. Additionally,
msticpy contains a number of pre-built visualizations and functions that can be easily incorporated into your notebooks, minimizing development
effort. So, it is the best option to create the visuals.
upvoted 1 times

Selected Answer: C
MSTICPy reduces the amount of code that customers need to write for Microsoft Sentinel, and provides:
Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint, Splunk, and other data sources.
Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.
Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction, and WhoIs lookups.
Visualization tools using event timelines, process trees, and geo mapping.
Advanced analyses, such as time series decomposition, anomaly detection, and clustering.
upvoted 1 times
  Myozymm 5 months, 1 week ago

Correct C
upvoted 1 times
HOTSPOT -
You have a Microsoft Sentinel workspace named sws1.
You need to create a hunting query to identify users that list storage keys of multiple Azure Storage accounts. The solution must exclude users
that list storage keys for a single storage account.
Hot Area:
Correct Answer:
Box 1: AzureActivity -
The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your
query with the following code:
Box 2: autocluster()
Example: description: |
'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access
to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source
IP address from which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only had single operations do not appear in this list
as we cannot learn from it their normal activity (only based on a single event). The activities for listing storage account keys is correlated with
this learned clusters of expected activities and activity which is not expected is returned.'
AzureActivity -
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| join kind= inner (
AzureActivity -
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount =
dcount
(ResourceId) by OperationNameValue, Caller, CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
Reference:
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml
First one is kind given away within the answer. Then second keyword is evaluate, which is the operator for the autocluster() plugin.
Answer is correct.
upvoted 7 times
  herta Most Recent  3 weeks ago

looks correct based on this
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Activity/Hunting%20Queries/Anomalous_Listing_Of_Storage_Keys.yaml
upvoted 1 times
DRAG DROP -
You have a Microsoft Sentinel workspace named workspace1 and an Azure virtual machine named VM1.
You receive an alert for suspicious use of PowerShell on VM1.
You need to investigate the incident, identify which event triggered the alert, and identify whether the following actions occurred on VM1 after the
alert:
The modification of local group memberships
✑ The purging of event logs

Which three actions should you perform in sequence in the Azure portal? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: From the Investigation blade, select Insights

The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL
entities.
Step 2: From the Investigation blade, select the entity that represents VM1.
The Investigation Insights workbook is broken up into 2 main sections, Incident Insights and Entity Insights.
Incident Insights -
The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including
alerts and entity information.
Entity Insights -
The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about
that entity. This workbook presently provides view of the following entity types:
IP Address -
Account -
Host -
URL -
Step 3: From the details pane of the incident, select Investigate.
Choose a single incident and click View full details or Investigate.
Reference:
https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview https://docs.microsoft.com/en-us/azure/sentinel/investigate-
cases
  suspense Highly Voted  4 months, 1 week ago

1. From the details pane of the incident, select Investigate.
2. From the Investigation blade, select the entity that represents VM1.
3. From the Investigation blade, select Insights
I think it is correct (but not 100% sure )

upvoted 9 times

i tested it and looks like you are correct
upvoted 2 times

I tested as well, suspense is correct.
upvoted 1 times
  Fukacz Most Recent  5 months, 1 week ago

Order is reversed.
First click on ticket, then investigate, then insight and then asset.
Just tested.
upvoted 2 times

Sorry, corrected:
1. ticket/incident
2. investigate
3. Asset
4. Insight
upvoted 7 times
You have a Microsoft Sentinel workspace that contains the following incident.
Brute force attack against Azure Portal analytics rule has been triggered.
You need to identify the geolocation information that corresponds to the incident.
What should you do?
A. From Overview, review the Potential malicious events map.
B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.
C. From Incidents, review the details of the AccountCustomEntity entity associated with the incident.
D. From Investigation, review insights on the incident entity.
Correct Answer: A
Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If
you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound
(red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization

Selected Answer: B
In the details of an incident, if you click on the IP entity it shows you the information under Geolocation information
upvoted 1 times
  saurabh123sml 3 weeks, 4 days ago

Selected Answer: B
Verified. Answer is B
upvoted 1 times

Selected Answer: A
A. From Overview, review the Potential malicious events map.
The Potential malicious events map in the Overview section of Microsoft Sentinel can display geolocation information for incidents, such as a brute
force attack against an Azure Portal analytics rule. By reviewing this map, you can identify the location from where the attack is originating.
upvoted 1 times
  Ouma 2 months ago

Selected Answer: B
Its B, confirmed
upvoted 2 times

Selected Answer: B
Once an incident is created, you can view more details of the incident by clicking on the View full details button, then navigate to the investigation
page. You can investigate all entities for this alert such as IP addresses, accounts, and so on.
https://charbelnemnom.com/detect-a-brute-force-attack-with-azure-sentinel/
upvoted 1 times
  kiketxu 2 months, 4 weeks ago
Currently, this question is outdated. It can't be in the Overview (A) because the Map was removed from there.
Additionally, the question is asking to identify the geolocation information that corresponds to the incident. So, I opt for B, inside Investigation and
selecting the IP, in entities you can find Geolocation info.
upvoted 2 times
  kiketxu 2 months, 4 weeks ago

Btw, the provided link in the answer seems quite out of date too. That overview map was removed in the "New" Overview version which is in
public preview.
upvoted 1 times

Selected Answer: A
https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization
upvoted 1 times

I was wrong. Correct answer is B.
upvoted 1 times

Correct answer is A - once you click on the red or orange circle within the map it forwards you to logs analytics where the query is shown, this has
the malicious IPs, country, confidence and other columns.
upvoted 1 times

You need to identify the geolocation information that corresponds to the incident.
How will you do this from the overview, i think it must be answer B. You go the the incident you click in de IP under Entities in the Details page and
you will see the geolocation information related to the incident.
upvoted 2 times
  fred99 5 months, 1 week ago

I vote for d- From Investigation, review insights on the incident entity.
upvoted 1 times

after second though, A seems the better option even if it does not display the geolocation for one particular incident but for all
upvoted 1 times
You have two Azure subscriptions that use Microsoft Defender for Cloud.
You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must
What should you do in the Azure portal?
A. Create an Azure Policy assignment.
B. Modify the Workload protections settings in Defender for Cloud.
C. Create an alert rule in Azure Monitor.
D. Modify the alert settings in Defender for Cloud.
Correct Answer: D
You can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.
Note: To create a rule directly in the Azure portal:
1. From Defender for Cloud's security alerts page:
Select the specific alert you don't want to see anymore, and from the details pane, select Take action.
Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:
2. In the new suppression rule pane, enter the details of your new rule.
Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.
Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or
location.
3. Enter details of the rule.
4. Save the rule.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules
  siddique12345 Highly Voted  5 months, 1 week ago

Selected Answer: A
To suppress alerts at the management group level, use Azure Policy
upvoted 10 times

Right and correct
upvoted 1 times

Tricky question, I think A is correct. - creating a suppression rule is not one of the options
upvoted 1 times
  Martiemark Most Recent  1 week, 4 days ago

I could see it being either A or D depending if they are only going to have 2 subscriptions or add more in the future. Should we assume that they
are never adding anymore than the 2 they already have?
upvoted 1 times

Selected Answer: A
A. Create an Azure Policy assignment.
To suppress specific Defender for Cloud security alerts at the root management group level, you can create an Azure Policy assignment. This will
allow you to apply a policy that will suppress the alerts across all subscriptions and management groups in the tenant. Azure Policy allows you to
define and assign policies that govern your resources and enforce compliance. By creating an Azure Policy assignment, you can set up the
suppression of alerts in one place, minimizing administrative effort.
upvoted 1 times

Selected Answer: A
To ensure that specific Defender for Cloud security alerts are suppressed at the root management group level, you should create an Azure Policy
assignment.
upvoted 1 times
  RomanV 3 months, 3 weeks ago
Selected Answer: A
"To suppress alerts at the management group level, use Azure Policy"
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
upvoted 2 times
  amsioso 5 months ago

https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
https://learn.microsoft.com/en-us/azure/governance/policy/overview#assignments
https://www.red-gate.com/simple-talk/cloud/azure/azure-policies-and-management-groups/
Think the answer is correct; D.
Because is the one with minimize administrative effort as you can see here:
https://learn.microsoft.com/en-us/answers/questions/8713/what-is-the-min-iam-role-required-to-create-azure.html
https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 1 times
  extopic01 4 months ago

from your link: https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
it says: To suppress alerts at the management group level, use Azure Policy.
answer is A
upvoted 2 times

Selected Answer: D
D is correct. When making a suppression you can select one, multiple or all subscriptions.
upvoted 2 times
You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named
User1.
You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. User Access Administrator
B. Owner
C. Contributor
D. Reader
Correct Answer: B

Selected Answer: B
Answer is B. See https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#availability
upvoted 1 times

Selected Answer: B
https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#manual-one-time-export-of-alerts-and-
recommendations
upvoted 1 times

B
Because Security admin isn't in the answers.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#availability
upvoted 4 times

correct. OWNER
upvoted 1 times

Selected Answer: B
https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export
upvoted 2 times
  tooaungyan 5 months, 2 weeks ago

should be C since least privilege
upvoted 4 times

owner see https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#manual-one-time-export-of-
alerts-and-recommendations
upvoted 1 times
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active
Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.
What should you create first?
A. a repository connection
B. a watchlist
C. an analytics rule
D. an automation rule
Correct Answer: D

Selected Answer: D
To ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert, you should create an automation rule first.
upvoted 3 times

Selected Answer: D
D is correct
upvoted 4 times
You have a Microsoft Sentinel workspace.

You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities. The solution must
Which rule type should you query?
A. Fusion
B. Microsoft Security
C. ML Behavior Analytics
D. Scheduled
Correct Answer: A

Selected Answer: A
i will go for A
Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks
https://learn.microsoft.com/en-us/azure/sentinel/fusion
upvoted 2 times

Selected Answer: A
Fusion rules in Microsoft Sentinel are rules that are used to detect advanced multistage attacks by combining alerts and activities from different
sources. Fusion rules can be used to identify attacks that may not be detectable by a single alert or activity, making them particularly useful for
detecting complex attacks that involve multiple stages.
upvoted 2 times

Selected Answer: A
https://docs.microsoft.com/en-gb/azure/sentinel/configure-fusion-rules
upvoted 4 times
You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines.
You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements:
✑ Minimize administrative effort.
✑ Minimize the parsing required to read fog data.
What should you configure?
A. a Log Analytics Data Collector API
B. REST API integration
C. a Common Evert Format (CEF) connector
D. a Syslog connector
Correct Answer: D

Selected Answer: C
C. Common Event Format connector.
Minimize the parsing required to read fog data. CEF connector sends Common Event Format data which means easy to read. As for administrative
effort. You only need to configure the CEF server to listen for syslog from all the linux vms and then send the CEF data to Sentinel.
upvoted 9 times
  Fukacz Highly Voted  5 months, 1 week ago

Selected Answer: D
Linux = Syslog, most of the time
upvoted 8 times

Syslog is a widely adopted standard for log data collection, making it a convenient and efficient choice for monitoring Linux virtual machines in
Microsoft Sentinel. Syslog connectors are commonly used to collect log data from Linux systems, and they can be easily configured to integrate
with Microsoft Sentinel, thus minimizing administrative effort. The Syslog format is well-structured, reducing the need for parsing and making it
easier to read the log data.
upvoted 1 times
  Gemeinde Most Recent  6 days, 15 hours ago

Selected Answer: D
as in https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
Note:
If your appliance supports Common Event Format (CEF) over Syslog, a more complete data set is collected, and the data is parsed at collection.
upvoted 1 times
  palito1980 2 weeks, 3 days ago

Selected Answer: D
Linux =Syslog
upvoted 1 times

Selected Answer: C
C. a Common Event Format (CEF) connector
CEF is a standard format for log data that is used by many security and event management systems, including Microsoft Sentinel. By using a CEF
connector, the log data can be ingested into Sentinel with minimal parsing required, reducing administrative effort. Additionally, CEF is a widely
supported format among security products, so it will minimize administrative effort by not having to configure multiple connectors to different
products.
upvoted 1 times
  TiredofTesting 1 month, 3 weeks ago

Selected Answer: D
For Linux machine, I will have to vote for Syslog. That is the de facto log system used by the OS for decades.
upvoted 1 times

Selected Answer: D
While the Common Event Format (CEF) connector can be used to collect log data from systems and devices, it may not be the best choice for
minimizing administrative effort and the parsing required to read log data in this scenario. CEF is a proprietary log format developed by ArcSight,
and it requires parsing to extract the relevant data from the logs. This can require additional effort and resources, particularly if the logs are large or
complex.
In contrast, the Syslog connector is a widely-used standard for logging system events that is supported by many systems, including Linux systems.
Syslog uses a simple text-based format that is easy to parse and understand, minimizing the effort and resources required to extract the relevant
data from the logs. Therefore, using a Syslog connector may be a better choice for minimizing administrative effort and the parsing required to
read log data in this scenario.
upvoted 2 times
  yaza85 3 months, 2 weeks ago
Selected Answer: C
CEF is a format that uses Syslog but is in a common format so no parsing in Sentinel is needed
upvoted 3 times

While CEF and Syslog are both log formats that can be used to collect log data from systems and devices, they are not interchangeable and
have different characteristics.
upvoted 1 times

https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-your-linux-machine-or-appliance
"Repeat this step for each VM you wish to connect."
Is there a way to automatize this process for 100 Linux VM???
upvoted 1 times
HOTSPOT -
You have 100 Azure subscriptions that have enhanced security features in Microsoft Defender for Cloud enabled. All the subscriptions are inked to
a single Azure
Active Directory (Azure AD) tenant.
You need to stream the Defender for Cloud logs to a syslog server. The solution must minimize administrative effort.
Hot Area:
Correct Answer:
  fred99 Highly Voted  5 months, 2 weeks ago

1 - Event Hub: https://docs.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-with-continuous-export
2 - Azure Policy - https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-policy#configure-continuous-export-
at-scale-using-the-supplied-policies
upvoted 13 times
  coringlax 4 months ago

Agreed - Azure Policy name - Deploy export to Event Hub for Microsoft Defender for Cloud data
upvoted 1 times

seems to be the correct answer thanks for the links
upvoted 1 times
  Subhakaran Most Recent  1 week ago

Between Log Analytics Workspace and Event Hubs, using Log Analytics Workspace requires less administrative effort.
With Log Analytics Workspace, you can configure Defender for Cloud to stream logs to the workspace and then set up a Log Analytics action group
to forward the logs to the syslog server. This can be done in the Azure portal, which provides a simple and intuitive interface for setting up log
forwarding.
In comparison, using Event Hubs requires you to set up and configure the Event Hubs Forwarder or an event hub consumer to stream the logs
from the Event Hub to the syslog server. This may require additional setup and configuration, which can increase the administrative effort required
to stream the Defender for Cloud logs to a syslog server.
Therefore, if you want to minimize administrative effort, I would recommend using Log Analytics Workspace to stream the Defender for Cloud logs
to a syslog server.
upvoted 1 times
As the question asks that 'the solution must minimize administrative effort' - configuring 100 subscriptions can't be correct, so the answer is Event
Hub and Azure Policy.
upvoted 1 times

1st Azure Event hub
2nd Azure Policy
Both answers are in this link:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-with-continuous-export
To stream alerts into //Syslog servers// ,and other monitoring solutions, connect Defender for Cloud using continuous export and Azure Event
Hubs.
Note:
To stream alerts at the tenant level, use this //Azure policy// and set the scope at the root management group.
upvoted 3 times
  doregos 4 months, 1 week ago

Correct Answer:
Azure Event Hub
Continuous Config
https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem
upvoted 1 times

CORRECT
Minimize administrative effort...
https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-about
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview
https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal
upvoted 1 times
  RafaAbel 5 months, 3 weeks ago

"Export logs to an" answer is wrong.
The question says to export to a Syslog and Syslog is not used by Microsoft Sentinel since is already natively integrated, the answer should be
Event Hub.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem
upvoted 3 times

No, the cuestion says to stream all Defender losgs to a specific server. Sentinel isn't mentioned in the question.
upvoted 1 times
DRAG DROP -
You have an Azure subscription that contains 100 Linux virtual machines.
You need to configure Microsoft Sentinel to collect event logs from the virtual machines.
Select and Place:
Correct Answer:
  RafaAbel Highly Voted  5 months, 2 weeks ago

Last step is wrong.
For Linux, must configure SysLog data connector.
https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog
upvoted 15 times

Echo, Linux = Syslog
upvoted 3 times

Echo
upvoted 1 times
  herta Highly Voted  2 weeks, 6 days ago

based on this https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
i will go for
add sentinel to a workspace
add a syslog connector
install the log Analytics agent
upvoted 6 times
  AMZ Most Recent  3 months, 3 weeks ago
Not sure about the options - You wouldn't add a syslog connector to the workspace, as it is on by default. - I'm wondering if they want you to
enable the workbook? Defo not security events as that is for Windows hosts. gonna say add workbook for the last step.
upvoted 1 times
You detect a new threat by using a hunting query.
You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must minimize administrative effort.
What should you do?
A. Create an analytics rule.
B. Add the query to a workbook.
C. Create a watchlist.
D. Create a playbook.
Correct Answer: D
  RodrigoLima Highly Voted  4 weeks ago

Selected Answer: A
The fact that I'm paying contributor access to have these easy questions with a wrong answer really triggers me... This being said, the answer is
clearly A.
upvoted 12 times
  Nailik_Ms Most Recent  3 weeks ago

Selected Answer: A
Please somebody fixes the answer.
upvoted 4 times

Selected Answer: A
https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in
upvoted 3 times
You have a query named Query1 as shown in the following exhibit.
You plan to create a custom parser named Parser1.
You need to use Query1 in Parser1.
A. Remove line 5.
B. Remove line 2.
C. In line 3, replace the !contains operator with the !has operator.
D. In line 4, remove the TimeGenerated predicate.
Correct Answer: B
  PhoenixSlasher 6 days, 1 hour ago

Selected Answer: B
B due to Parsing happens at query time, hense Query time parsing meaning we cannot parse a specific time.
upvoted 1 times

Selected Answer: B
i will go for B as well
A parser should not filter by time. The query which uses the parser will apply a time range.
https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers
upvoted 1 times

Selected Answer: B
In Microsoft Sentinel, parsing and normalizing happen at query time. https://learn.microsoft.com/en-us/azure/sentinel/normalization-parsers-
overview
upvoted 1 times
You need to create a custom report that will visualise sign-in information over time.
A. a hunting query
B. a workbook
C. a notebook
D. a playbook
Correct Answer: B

Selected Answer: B
https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data
upvoted 1 times

Selected Answer: B
B. a workbook.
A Workbook is a collection of visualizations and data that can be used to analyze and report on data in Azure Sentinel. It can be used to create
custom reports that visualize sign-in information over time.
upvoted 1 times
You receive multiple alerts for failed sign-in attempts to an account.
You identify that the alerts are false positives.
You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements:
• Ensure that failed sign-in alerts are generated for other accounts.
• Minimize administrative effort
What should do?
A. Modify the analytics rule.
B. Create a watchlist.
C. Add an activity template to the entity behavior.
D. Create an automation rule.
Correct Answer: D

Selected Answer: D
https://learn.microsoft.com/en-us/azure/sentinel/false-positives
upvoted 4 times
  MoSea 1 week, 4 days ago

Agreed. In the article it states: "This article describes two methods for avoiding false positives:
Automation rules create exceptions without modifying analytics rules.
Scheduled analytics rules modifications permit more detailed and permanent exceptions."
upvoted 1 times
  AJ2021 4 weeks, 1 day ago

Selected Answer: D
Agree: AUTOMATION RULES are a way to centrally manage automation in Microsoft Sentinel, by allowing you to define and coordinate a small set
of rules that can apply across different scenarios.
upvoted 1 times
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.
You have the hunting query shown in the following exhibit.
The users perform the following actions:
• User1 assigns User2 the Global administrator role.

• User1 creates a new user named User3 and assigns the user a Microsoft Teams license.
• User2 creates a new user named User4 and assigns the user the Security reader role.
• User2 creates a new user named User5 and assigns the user the Security operator role.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:

answer is correct
AuditLogs
| where OperationName == "Add user"
// show all newly created users, this part will identify creation of user 3 and user 5
assignment of user 2 by user 1 won't be display because of "project-away user1"

upvoted 1 times

not sure about the inpact of the project-away operator, if it is just view or impact result
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator
upvoted 1 times

with operator projet-away the query result wont't show anything for User1
so the answer should be
N,N,Y
upvoted 3 times

I don't think so. In the second statement, the TargetResources.UserPrincipalName is user3, not user1.
https://learn.microsoft.com/en-us/azure/sentinel/get-visibility#new-workbook-examples
You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Azure Active Directory
audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes
within 24 hours of creation.
upvoted 1 times
  bryangacusana21 3 weeks, 1 day ago

I agree with this.
upvoted 1 times

Answer is correct.
upvoted 2 times
HOTSPOT
-
You have the following KQL query.
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
Correct Answer:

The account entity is set as the username not the opposite
The username is not set as the account entity it's the opposite
1 should be no
the watchlist can be updated so

https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage#edit-a-watchlist-item
2 should be No
IPList var refers to the entity type Ip Address yes

https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#entity-types-and-identifiers
3 should be Yes
So my guess
N,N,Y
upvoted 2 times

if i misunderstund the wording of the first sentence as it seems inverted for me
in this case it would be
Y,N,Y
:)
upvoted 5 times

misunderstood
upvoted 1 times
  learnlearnlearn 1 month ago
"The watchlist can not be updated after it is created" should be "No". This here are docs explaining how to edit them
https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage#edit-a-watchlist-item
upvoted 2 times
  yoton 2 weeks, 1 day ago

Uh.. If the watchlist can not be updated after it is created then the answer is yes.. because it's asking if the statement "The watchlist can not be
updated after is created." Is right or not.
upvoted 1 times

Ignore me. I misunderstood.
upvoted 1 times
HOTSPOT
-
You develop a custom Advanced Security Information Model (ASIM) parser named Parser1 that produces a schema named Schema1.
You need to validate Schema1.
How should you complete the command? To answer, select the appropriate options in the answer area.
Correct Answer:

Answer is correct. https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage#edit-a-watchlist-item
upvoted 3 times

Wrong copy and paste. This is the correct link: https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#validate-the-
output-schema
upvoted 4 times
HOTSPOT
-
You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled.
You need to identify all the log entries that relate to security-sensitive user actions performed on a server named Server1. The solution must meet
the following requirements:
• Only include security-sensitive actions by users that are NOT members of the IT department.
• Minimize the number of false positives.
Correct Answer:

Answer is: Join kind = inner, IdentityInfo
https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-in-your-analytics-rules-public-preview
upvoted 9 times
  DaraVasu Most Recent  1 week ago

Answer is Join Kind = inner, Identityinfo
Found this in Microsoft documentation

upvoted 2 times
HOTSPOT
-
You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours.
Correct Answer:

Correct.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml
upvoted 4 times
HOTSPOT
-
You have an Azure subscription.
You plan to implement a Microsoft Sentinel workspace. You anticipate that you will ingest 20 GB of security log data per day.
You need to configure storage for the workspace. The solution must meet the following requirements:
• Minimize costs for daily ingested data.

• Maximize the data retention period without incurring extra costs.
What should you do for each requirement? To answer, select the appropriate options in the answer area.
Correct Answer:

On exam 2-11-2023
upvoted 2 times
  Martiemark 2 weeks, 5 days ago

I got a total cost of 104.40 (20 G) vs 342.52 (100g Commitment) per day. Pay as you go is the better choice.
upvoted 4 times

by default retention is free up to 90 Days.
Retention for Application Insights data types default to 90 days and will get the workspace retention if it is over 90 days
upvoted 1 times
  saurabh123sml 2 weeks, 6 days ago

first should be PAYG
upvoted 2 times
  david124 1 month ago

https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel/?cdn=disable
PAYG sounds more practical here due to the commitment tier being 100gb which is much more than 20gb.
upvoted 4 times
  david124 1 month ago

For daily ingestion
upvoted 1 times
HOTSPOT
-
You have a Microsoft Sentinel workspace named sws1.
You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in
sws1.
You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:
• Minimize administrative effort.

• Use the principle of least privilege.
How should you configure the credentials? To answer, select the appropriate options in the answer area.
Correct Answer:

Answer is correct.
https://learn.microsoft.com/en-us/azure/sentinel/authenticate-playbooks-to-sentinel#authenticate-with-managed-identity
https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-specific-roles
upvoted 3 times
  PhoenixSlasher 6 days, 2 hours ago

Surely Reader is all that is required if MS Reader can view Incidents (doesn't mention in scenario whether the Logic App will manage the
Incident on Sentinel side, only raise an incident in an ITSM elsewhere when incident is raised in sentinel <> view required only?
upvoted 1 times
You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
A. Create a hunting query that references the built-in parser.
B. Build a custom unifying parser and include the built-in parser version.
C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.
D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.
E. Create an analytics rule that includes the built-in parser.
Correct Answer: BC

Selected Answer: BC
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers#prevent-an-automated-update-of-a-built-in-parser
upvoted 3 times
You have a custom Microsoft Sentinel workbook named Workbook1.
You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows.
What should you do?
A. In the grid query, include the take operator.
B. In the grid query, include the project operator.
C. In the query editor interface, configure Settings.
D. In the query editor interface, select Advanced Editor.
Correct Answer: D
  eddz25 Highly Voted  1 month ago

Selected Answer: A
A. In the grid query, include the take operator.
The take operator allows you to limit the number of rows returned by a query. By including the take operator in the grid query and specifying a
maximum of 100 rows, you can ensure that the grid in Workbook1 contains a maximum of 100 rows.
For example, you could use the following query:

| take 100
upvoted 7 times
  prino 3 weeks, 4 days ago

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/takeoperator
upvoted 2 times
  interwor Most Recent  3 weeks, 1 day ago

Selected Answer: D
D. "By default, grids only display the first 250 rows of data. This setting can be changed in the query component's advanced settings to display up
to 10,000 rows. Any further items are ignored, and a warning appears."
https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-limits
upvoted 1 times

They only want 100. You need to limit the rows not go up.
upvoted 1 times
HOTSPOT
-
You have a Microsoft Sentinel workspace named SW1.
You plan to create a custom workbook that will include a time chart.
You need to create a query that will identify the number of security alerts per day for each provider.
Correct Answer:

Correct.
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-workbooks-101-with-sample-workbook/ba-p/1409216
upvoted 5 times
You have a Microsoft Sentinel workspace named Workspace1.
You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?
A. an analytic rule
B. a watchlist
C. a workbook
D. a hunting query
Correct Answer: B

On exam 2-11-2023
upvoted 2 times
  palito1980 4 weeks ago

Selected Answer: B
To support excluding built-in source-specific parsers, ASIM uses a watchlist.
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers#set-up-your-workspace
upvoted 3 times
  rclayton 4 weeks, 1 day ago

Selected Answer: B
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers
upvoted 4 times

Selected Answer: A
A. an analytic rule
An analytic rule allows you to specify the conditions under which data is collected and analyzed. By creating an analytic rule in Workspace1, you
can exclude a built-in, source-specific ASIM parser from a built-in unified ASIM parser by specifying conditions that exclude the data generated by
that parser.
For example, you could create an analytic rule that filters out all events generated by the built-in, source-specific parser you want to exclude, by
using the "where" clause, this way the unified parser will not process the events generated by that source-specific parser.
While the other options (B, C, D) are useful for different purposes, but none of them can be used to exclude a specific parser from a unified parser.
upvoted 1 times
  yoton 3 weeks, 3 days ago

To support excluding built-in source-specific parsers, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the
Microsoft Sentinel GitHub repository.
From one of the above links provided.

upvoted 2 times
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.
A. a hunting query in Microsoft Sentinel
B. an Azure logic app
C. an automation rule in Microsoft Sentinel
D. a trigger in Azure Functions
Correct Answer: C

Selected Answer: B
Creating a logic app before creating the automation rule that triggers said logic app is ... logically the correct answer.
upvoted 1 times
HOTSPOT
-
You have a Microsoft Sentinel workspace named Workspace1.
You configure Workspace1 to collect DNS events and deploy the Advanced Security Information Model (ASIM) unifying parser for the DNS
schema.
You need to query the ASIM DNS schema to list all the DNS events from the last 24 hours that have a response code of ‘NXDOMAIN’ and were
aggregated by the source IP address in 15-minute intervals. The solution must maximize query performance.
Correct Answer:
HOTSPOT
-
Your on-premises network contains 100 servers that run Windows Server.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
Correct Answer:
You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data
connector.
You need to customize which details will be included when an alert is created for a specific event.
What should you do?
A. Enable User and Entity Behavior Analytics (UEBA).
B. Create a Data Collection Rule (DCR).
C. Modify the properties of the connector.
D. Create a scheduled query rule.
Correct Answer: A

Select a scheduled query rule and select Edit. Or create a new rule by selecting Create > Scheduled query rule at the top of the screen.
upvoted 1 times
  smosmo 3 days, 1 hour ago

Selected Answer: D
D is correct: https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details
upvoted 1 times

Selected Answer: D
I would say this is the entities it is referring to which is configurable through analytic rules
upvoted 1 times
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the
DNS schema.
You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.
A. Copy the parsers to the Azure Monitor Logs page.
B. Create a JSON file based on the DNS template.
C. Create an XML file based on the DNS template.
D. Create a YAML file based on the DNS template.
Correct Answer: D
  smosmo 3 days, 1 hour ago

Selected Answer: D
D is correct for a large number of parsers: https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#deploy-parsers
upvoted 1 times
HOTSPOT
-
A Microsoft Sentinel incident is generated as shown in the following exhibit.
Correct Answer:

Investigate <> Alerts
Comments is only what has been added by a user nothing more.
upvoted 1 times
Topic 4 - Testlet 1
Question #1 Topic 4
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study
before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem
statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the
subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Cloud and Hybrid Infrastructure -

All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam recently purchased an Azure subscription and enabled
Azure Defender for all supported resource types.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.

Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its
own Azure
AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides
you with the following incomplete query.
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
The issue for which team can be resolved by using Microsoft Defender for Endpoint?
A. executive
B. sales
C. marketing
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios

Correct - Sales need iOS EndPoint Protection from DfE
upvoted 8 times
  RodrigoLima Most Recent  3 weeks, 4 days ago

Selected Answer: B
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide
upvoted 1 times
  Apocalypse03 1 month, 4 weeks ago

Selected Answer: B
Yes, that is correct. If the sales team at Contoso uses iOS devices and has experienced phishing attacks in the past, Microsoft Defender for Endpoint
could potentially be useful for protecting their devices against these types of threats.
upvoted 1 times

Selected Answer: B
Correct answer B
upvoted 3 times

questions related to this sim:
4.1, 4.2, 7.1, 7.2, 8.1-8.4.
upvoted 1 times
  jackiefrost 1 year, 4 months ago

"security" should be added to the choices to make sure you read the question of Endpoint vs Microsoft Defender for Office 365 as in next Q2
upvoted 2 times
  oberte007 1 year, 7 months ago

True answer!!!
upvoted 3 times
Question #2 Topic 4
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -
own Azure
AD applications.
BehaviorAnalytics -
| where ________ == True
Question
The issue for which team can be resolved by using Microsoft Defender for Office 365?
A. executive
B. marketing
C. security
D. sales
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-for-spo-odb-and-teams?view=o365-worldwide

correct SharePoint is a content of MS office 365
upvoted 12 times
  Apocalypse03 Most Recent  1 month, 4 weeks ago

Selected Answer: B
Correct. If the marketing team at Contoso has experienced incidents in which vendors uploaded files that contain malware to SharePoint Online
sites, Microsoft Defender for Office 365 could potentially be useful for helping to protect against these types of threats.
upvoted 3 times

Selected Answer: B
Answer is correct Marketing it is. Safe Attachments for SharePoint, One Drive, and Microsoft Teams is a feature in Microsoft Defender for Office 365
upvoted 3 times

Correct - Marketing can use DfO to protect SharePoint sites from Malware.
upvoted 4 times
  PJR 1 year, 6 months ago

Correct - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams?view=o365-worldwide
upvoted 4 times
Topic 5 - Testlet 2
Question #1 Topic 5
Introductory Info
Case study -

Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment -

Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all
computers that run
Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.

Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Azure Defender Requirements -

All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements -

Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating
through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts
generated by the rule must be grouped into individual incidents, with one incident per test user account.
Question
You need to implement the Azure Information Protection requirements.
What should you configure first?
A. Device health and compliance reports settings in Microsoft Defender Security Center
B. scanner clusters in Azure Information Protection from the Azure portal
C. content scan jobs in Azure Information Protection from the Azure portal
D. Advanced features from Settings in Microsoft Defender Security Center
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview

D is correct
upvoted 9 times
  BTAB Highly Voted  1 year, 7 months ago

D is correct.
As stated by the requirements below, this is on a Windows 10 endpoint, which would require Defender, not Azure Portal.
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection ‫ג‬€" Data
upvoted 5 times
  BTAB 1 year, 7 months ago

Slight correction - it needs to be configured FIRST in the advanced settings in Defender. The question asks what needs to be done first, and this
data will not be in Azure if it not configured correctly on Defender.
upvoted 3 times
  Epiarmy Most Recent  3 weeks, 2 days ago

Selected Answer: D
D is correct
upvoted 1 times

Selected Answer: D
Correct answer D. The question is outdated because this feature is no longer required."Seamless Endpoint DLP onboarding for Microsoft Defender
for Endpoint customers" and "On March 29, 2021, the current integration between Microsoft Defender for Endpoint and AIP will be deprecated."
ref: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protecting-sensitive-information-on-devices/ba-p/2143555
The answer is still valid since the question is outdated: "The integration is controlled by an on/off toggle in the Microsoft Defender Security Center
under Settings -> Advanced features:"
upvoted 4 times

questions related to this sim:
5.1-5.3, 6.1, 9.1- 9.6
upvoted 3 times
  Jens128 1 year ago

Guess this question is not up to date anymore, because the integration asked if the answer was D is deprecated:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide#azure-
information-protection
upvoted 2 times
  Efficia 1 year, 3 months ago

Selected Answer: D
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Defender for Endpoint
though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview?view=o365-
worldwide#data-discovery-and-data-classification
upvoted 5 times

yes correct scanner cluster
upvoted 1 times
  mbn 1 year, 8 months ago

Correct answer is B: create a scanner cluster
https://docs.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner-configure-install?tabs=azure-portal-only#create-a-scanner-
cluster
upvoted 3 times

This is about on-premises document labeling and not M365 IMHO (although stated at the top of the link you provided)
upvoted 3 times

So, I would also go for D.
upvoted 1 times
Question #2 Topic 5
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -




Question
You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements and resolve the reported problem.
Which policy should you modify?
A. Activity from suspicious IP addresses
B. Activity from anonymous IP addresses
C. Impossible travel
D. Risky sign-in
Correct Answer: C
Reference:

Agree - C. Users connecting to two geographically separate locations at the same time would trigger the impossible travel alert, however as these
are legitimate then this setting needs to be altered to include both network addresses.
upvoted 17 times
  molariosso 8 months, 1 week ago

makes perfect sense
upvoted 2 times
  Discuss4certi 1 year, 4 months ago

I can follow this reasoning
upvoted 1 times
  Efficia Most Recent  1 year, 3 months ago

Correct.
Requirement: Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Resolve the requirement: In the Impossible Travel policy, you can set the sensitivity slider to determine the level of anomalous behavior needed
before an alert is triggered
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy#tune-anomaly-detection-policies
upvoted 3 times
Question #3 Topic 5
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -




Question
DRAG DROP -
You need to configure DC1 to meet the business requirements.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Select and Place:
Correct Answer:
Step 1: log in to https://portal.atp.azure.com as a global admin
Step 2: Create the instance -

Step 3. Connect the instance to Active Directory
Step 4. Download and install the sensor.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/install-step1 https://docs.microsoft.com/en-us/defender-for-identity/install-step4
  horseboxIRL Highly Voted  10 months, 2 weeks ago

I took the exam today and it only asked me for 3 actions.
I picked -
1). Create an instance of MSiD
2). Provide domain admin creds
3). install the sensor on DC1
I passed and got 937 points.

upvoted 18 times

Correct answer.
upvoted 11 times
  Lion007 Most Recent  7 months, 3 weeks ago

Correct answer. For those who are confused about the difference between "sensor" and "standalone sensor", the Standalone Sensor is installed on
a dedicated server and requires port mirroring to be configured on the domain controller to receive network traffic. Ref:
https://docs.microsoft.com/en-us/defender-for-identity/prerequisites
upvoted 2 times

Written Answer is Correct but Image is wrong.
upvoted 1 times

First you need to create the instance.. then provide the gmsa or on-prem admin account.
Then install the sensor..
upvoted 1 times
  pietje1448 11 months, 3 weeks ago

In the exam only three actions can be selected.
upvoted 4 times
Topic 6 - Testlet 3
Question #1 Topic 6
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -



Question
HOTSPOT -
You need to implement Azure Defender to meet the Azure Defender requirements and the business requirements.
Hot Area:
Correct Answer:
  ReffG Highly Voted  1 year, 5 months ago

The provided answer is correct. For reference: https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA
upvoted 15 times

Better reference: https://docs.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
upvoted 4 times

LA1 - as the requirements state that all logs need to be gathered in one workspace. And this one already existed.
Common is also correct. following the link referenced by ReffG it is stated for common logs: 'A standard set of events for auditing purposes. A full
user audit trail is included in this set.'
upvoted 15 times
  Xyz_40 Most Recent  4 months, 2 weeks ago

correct!
LA1
Common
(Logs collected by Log Analytics must provide a full audit trail of user activities.) And only Common events contains audit trail logs or information
upvoted 1 times
Topic 7 - Testlet 4
Question #1 Topic 7
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -

Develop a procedure to remediate Azure Defender for Key Vault alerts for Contoso in case of external and internal threats. The solution must
minimize the impact on legitimate attempts to access the key vault content.
BehaviorAnalytics -
| where ________ == True
Question
HOTSPOT -
You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.
What should you recommend for each threat? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/security-features https://docs.microsoft.com/en-us/azure/key-
vault/general/secure-your-key-vault
  swgu Highly Voted  1 year ago

The answer is correct. If the key vault is there, there would be a policy too. We need to modify that policy. For external threats, we just need to
update the "Network" section in the Key Vault configuration. So you don't have to go to NSG or Azure firewall for this.
upvoted 7 times

I agree with the explanation from swgu, correct answers.
upvoted 3 times
  anonymous12356781 Highly Voted  1 year, 3 months ago

Can anybody here confirm if the question/answer is correct? The question says "You need to recommend remediation actions for the Azure
Defender alerts for Fabrikam.", but the Technical Requirements says "Develop a procedure to remediate Azure Defender for Key Vault alerts for
Contoso in case of external and internal threats. "

upvoted 6 times

I'm not sure if anyone has gotten this far specially for those with no contributor role.
upvoted 2 times

Under Planned Changes: "Contoso plans to integrate the security operations of both companies and manage all security operations
centrally." So the same procedures and recommend remediation actions for Contoso should be also considered for Fabrikam. It is a tricky
question, but hey it is a scenario based question and all context should be considered.
upvoted 3 times
  bull_monk 1 year, 2 months ago

I've got the same question
upvoted 1 times
  Remilia Most Recent  1 year, 2 months ago

For this question the Internal Threat the options are the following from other sources:
- Add resource locks to the key vault

- Modify the access policy settings for the key vault
- Modify the RBAC (Role Based Access Control) settings for the key vault
the last one is the correct answer

upvoted 6 times
Question #2 Topic 7
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -
Develop a procedure to remediate Azure Defender for Key Vault alerts for Contoso in case of external and internal threats. The solution must
minimize the impact on legitimate attempts to access the key vault content.
BehaviorAnalytics -
| where ________ == True
Question
You need to recommend a solution to meet the technical requirements for the Azure virtual machines.
What should you include in the recommendation?
A. just-in-time (JIT) access
B. Azure Defender
C. Azure Firewall
D. Azure Application Gateway
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/azure-defender

Correct - Azure Defender
upvoted 14 times

Selected Answer: B
To meet the technical requirement of receiving alerts if an Azure virtual machine is under brute force attack, you could recommend including Azure
Defender in the solution.
upvoted 2 times

Correct answer. I first went to just-in-time, but this is for hardening the network against brute force, while Defender for Cloud (Azure Defender) is
to harden the virual machine itself against brute force attacks. "^Defender for Cloud^ helps you limit exposure to ^brute force attacks^. By
reducing access to virtual machine ports, using the just-in-time VM access, you can ^harden your network^ by preventing unnecessary access."
Ref: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction#defend-your-azure-native-resources
upvoted 2 times
  arthrax 11 months, 1 week ago

Selected Answer: B
"Defender for Cloud helps you limit exposure to brute force attacks."
upvoted 4 times
  Hacker00 1 year, 1 month ago

B. Azure Defender
Correct answer
upvoted 3 times
Topic 8 - Testlet 5
Question #1 Topic 8
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -

own Azure
AD applications.
BehaviorAnalytics -
| where ________ == True
Question
You need to complete the query for failed sign-ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
A. Security alerts in Azure Security Center
B. Activity log in Azure
C. Azure Advisor
D. the query windows of the Log Analytics workspace
Correct Answer: D

Selected Answer: D
D is correct. By increasing the time window, we would know if the failed sign ins are common or suspecious.
The corrected code would be something like:
BehaviorAnalytics
| extend ActivityInsightsArray=parse_json(ActivityInsights)
| extend UnusualFailedSignIns = tostring(parse_json(ActivityInsightsArray).UnusualNumberOfFailedSignInOfThisUser)
| where UnusualFailedSignIns == True
| summarize count() by SourceIPLocation, UserName
| order by count_ desc
upvoted 9 times

I agree, D. For this case scenario and as per requirement, Identify all cases of users who failed to sign in to an Azure resource for the first time
from a given country.
You may want to update the enrichment with "FirstTimeUserConnectedFromCountry". :)

https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#country-connected-from
upvoted 2 times
  Hacker00 Highly Voted  1 year, 2 months ago

D-Correct answer
upvoted 7 times
  Muffen Most Recent  11 months, 1 week ago

Selected Answer: D
Correct - The query window will provide IntelliSense to help figure out what the column is as you type. You can also just do a broad search for all
failed logins and see which columns are returned in the output.
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial#write-a-query
upvoted 4 times
Question #2 Topic 8
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -
own Azure
AD applications.
BehaviorAnalytics -
| where ________ == True
Question
You need to remediate active attacks to meet the technical requirements.
What should you include in the solution?
A. Azure Automation runbooks
B. Azure Logic Apps
C. Azure Functions
D. Azure Sentinel livestreams
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks

Correct. Logic Apss = Playbooks which provide automated workflows to run based on triggers.
upvoted 10 times
  AlaReAla Highly Voted  1 year, 4 months ago

"Playbooks in Azure Sentinel are based on workflows built in Azure Logic Apps, a cloud service that helps you schedule, automate, and orchestrate
tasks and workflows across systems throughout the enterprise. This means that playbooks can take advantage of all the power and customizability
of Logic Apps' built-in templates."
upvoted 6 times

Selected Answer: B
Correct. Logic apps will help automate remediations via Playbooks. The ketword in the question is "rapidly remediating active attacks".
upvoted 1 times
  Fllinstone 1 year, 3 months ago

"Active Attack" makes me feel like it's D.
upvoted 5 times
  Lafsa 2 months ago

I thought the same :D
upvoted 1 times
  Jens128 1 year ago

I felt the same, but livestreams are for "test new queries, get notified when events occurs and launch investigation" - so no imidiate action
included
upvoted 5 times
Question #3 Topic 8
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -
own Azure
AD applications.
BehaviorAnalytics -
| where ________ == True
Question
HOTSPOT -
You need to create an advanced hunting query to investigate the executive team issue.
Hot Area:
Correct Answer:
  Beitran Highly Voted  1 year, 9 months ago

CloudAppEvents doesn't have the FolderPath column, so it's probably DeviceFileEvents: https://docs.microsoft.com/en-us/microsoft-
365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
upvoted 16 times

Read it bro https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-
defender/ba-p/1893857
CloudAppEvents replaced AppFileEvents so everything AppFireEvents had is included in CloudAppEvents

upvoted 16 times

Not everything. You can see in their examples within your posted url where the changes are for one of their queries.
The appfileevents had the folderpath column but the updated cloudappevents query did not have the folderpath column as it is not part of
cloudappevents.
upvoted 1 times

I too will go with @Teehex. Quoting the text from shared URL for your ease:
"The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021.
Activities involving these applications, including file activities, will be recorded in the new CloudAppEvents table"
upvoted 6 times
  fr54fr Highly Voted  1 year, 8 months ago
users hunting through file-related activities in cloud services should use the CloudAppEvents table instead [Column name: ActivityObjects - List of
objects, such as files or folders, that were involved in the recorded activity]
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide
upvoted 13 times
  madhatter 1 year, 7 months ago

Its easy to get confused with File properties but this question asks for "data access, download, or deletion for Microsoft Cloud App Security-
protected applications"
Provided answer most likely correct "CloudAppEvents"

upvoted 5 times

Answers are correct:
CloudAppEvents
| where timeStamp > ago(2d)
| where ActionType in ("Data Access", "Data Download", "Data Deletion")
| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName
| where activityCount > 5
upvoted 3 times
  Apocalypse03 1 month, 4 weeks ago

This query will filter the CloudAppEvents data by time (using the ago function to only include events from the past 48 hours), action type (using
the in operator to include only data access, data download, or data deletion actions), and count the number of activities per file (using the
summarize operator and the count() function). Finally, it will filter the results to only include files with more than five activities (using the where
clause and the activityCount column).
upvoted 2 times

DeviceFileEvents
Timestamp
FileName
FolderPath
Count()
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
CloudAppEvents does not have FileName and FolderPath

upvoted 1 times
  Davanitz 3 months ago

These should be the right query since FolderPath and FileName don't exist in CloudAppEvents.
CloudAppEvents
| where Timestamp > ago(2d)
| summarize activityCount = count() by ObjectName, ActionType, AccountDisplayName
| where activityCount > 5
upvoted 1 times
  hanyahmed 5 months, 3 weeks ago

It is correct answer.
first answer :
CloudAppEvents --> Yes
Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceFileEvents --> No because it doesn't have involving accounts.
File creation, modification, and other file system events
From <https://docs.microsoft.com/en-us/learn/modules/query-logs-azure-sentinel/5-understand-microsoft-365-defender-tables>
Second answer : count
upvoted 2 times

Nevermind my last comment
upvoted 1 times

So it says 'where timestamp > ago (2d)' and we're looking for events in the last 48h ? Doesn't look right does it? Shouldn't it be 'where timestamp
< ago (2d)?
upvoted 1 times

Answer is correct : CloudAppEvents and count
"The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021. Activities
involving these applications, including file activities, will be recorded in the new CloudAppEvents table."
upvoted 3 times
  Contactfornitish 11 months, 4 weeks ago
Cloud app events + Count
upvoted 4 times

In modern environment none of this answers are correct.
upvoted 2 times

DeviceProcessEvents and DeficeFileEvents doesn't have AccountDisplayName column
CloudAppEvents doesn't have FolderPath and Filename column.
upvoted 2 times

Cloud app events and Count are correct answers.
upvoted 4 times

Thank you Eltooth!
upvoted 1 times

Since they are looking for file events, it should not be process rather devicefileevents, then count
upvoted 1 times
  jaykrist 1 year, 8 months ago

Since we are tracking for file activities, the best answers in my opinion is DeviceFileEvents.
upvoted 4 times
  _adem 1 year, 9 months ago

Only DeviceProcessEvents table has all the specified columns the summarize activityCount. So the answer should be DeviceProcessEvents
upvoted 1 times
Question #4 Topic 8
Introductory Info
Case study -

Overview -

Current Problems -
during the past
Requirements -
Planned Changes -
own Azure
AD applications.
BehaviorAnalytics -
| where ________ == True
Question
HOTSPOT -
You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements.
Hot Area:
Correct Answer:
Reference:

Correct answer - - 1 workspace (every sentinel requires a workspace)
upvoted 11 times
  yoton Most Recent  5 months, 1 week ago

You will use the workspace ID and the union operator to extend queries across workspaces.
upvoted 3 times

Correct answer
upvoted 2 times
  rdy4u 9 months, 4 weeks ago

https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-workspace-workbooks
1, workspace to colocate
upvoted 1 times
Topic 9 - Testlet 6
Question #1 Topic 9
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -


Question
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.
Which two configurations should you modify? Each correct answer present part of the solution.
A. the Onboarding settings from Device management in Microsoft Defender Security Center
B. Cloud App Security anomaly detection policies
C. Advanced features from Settings in Microsoft Defender Security Center
D. the Cloud Discovery settings in Cloud App Security
Correct Answer: CD
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/mde-govern

Selected Answer: CD
Correct answers. As Harold_Finch explained, unsactioned apps will be blocked using Defender for Cloud Apps (MCAS). You can also add
URLs/Domains to block directly from Defender - Settings - Endpoints - Indicators - URLs/Domains tab - Add items --> to add cloud apps to block.
upvoted 7 times
  Dris2021 Most Recent  8 months, 2 weeks ago

Answer B & D
upvoted 1 times
Nope - the given answers are correct. Check the provided link. It's a two part process:
- Block unsanctioned apps via Cloud Discovery in MCAS
- Enable advanced 'Custom network indicators' within Microsoft 365 Defender

upvoted 10 times
Question #2 Topic 9
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -



Question
DRAG DROP -
You need to add notes to the events to meet the Azure Sentinel requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of action to the answer area and
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/bookmarks

Correct answer. The provided link explains it in the answer nicely https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
upvoted 3 times
  heathsem 8 months, 2 weeks ago

Correct
upvoted 1 times
Question #3 Topic 9
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -



Question
HOTSPOT -
You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/siem-sentinel

Correct answer.
To connect Defender for Cloud Apps (MCAS) to Microsoft Sentinel:

1- from Defender for Cloud Apps --> Security extensions --> Add SIEM agents tab --> then click "Add SIEM agent" and select Mircosoft Sentinel
2- From Sentinel --> Data connectors --> Select "Microsoft Defender for Cloud Apps" --> and make sure it is connectted.
Ref:
https://docs.microsoft.com/en-us/defender-cloud-apps/siem-sentinel
https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud-apps
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-cloud-app-security-mcas-activity-log-in-azure-sentinel/ba-p/1849806
upvoted 11 times
Question #4 Topic 9
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -



Question
You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements.
Which role should you assign?
A. Automation Operator
B. Automation Runbook Operator
C. Azure Sentinel Contributor
D. Azure Sentinel Responder
Correct Answer: C
Litware must meet the following requirements:
✑ Ensure that a user named admin1 can configure Azure Sentinel playbooks.
✑ The principle of least privilege must be used whenever possible.
Azure Sentinel Contributor can view data, incidents, workbooks, and other Azure Sentinel resources, manage incidents (assign, dismiss, etc.),
create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Reference:
  Damian367 Highly Voted  10 months ago

No correct Answer - https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#microsoft-sentinel-automation-contributor
upvoted 5 times
  Metasploit Most Recent  3 months, 3 weeks ago

Selected Answer: C
Vote C Azure Sentinel Contributor, because it is at least 50% there whereas the rest are not even close.
The below link describes that if you were to give someone Azure Sentinel Contributor(50%) and Logic App Contributor(Other 50%) they can create
and run playbooks.
https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-permissions-and-allowed-actions
upvoted 2 times
Selected Answer: C
Azure Sentinel Contributor is the only provided correct role. If "Log Analytics Contributor" or "Microsoft Sentinel Automation Contributor" they
would be better suited to meet the business requirement for least privilege.
Contributor: "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries." Ref https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
upvoted 3 times

Correction: "Logic App Contributor" instead of "Log Analytics Contributor"
upvoted 1 times
  king001 9 months, 3 weeks ago

Requirement is "configure Azure Sentinel playbooks" not just assign to automation rule. So, answer C is correct
upvoted 1 times
Question #5 Topic 9
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -



Question
Which rule setting should you configure to meet the Azure Sentinel requirements?
A. From Set rule logic, turn off suppression.
B. From Analytics rule details, configure the tactics.
C. From Set rule logic, map the entities.
D. From Analytics rule details, configure the severity.
Correct Answer: C
Reference:

Selected Answer: C
Correct answer. Check any analytics rules, after you map the entities under the "Set rule logic" tab, then you can enable the "Alert grouping" under
"Incident settings" by selecting "Enabled", then select "Grouping alerts into a single incident if the selected entity types and details match:" and
select the entities from the drop down menu.
If you don't map entities, you can't group alerts under "Incident settings" becuase the drop down menu will show "no available items".
upvoted 6 times
  Silent_Muzinde Most Recent  1 year, 7 months ago

From Logic rule, Map entities
https://docs.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities#how-to-map-entities
upvoted 4 times
  Prianishnikov 1 year, 8 months ago

It is a correct answer?
upvoted 3 times
  MaartenC 1 year, 8 months ago

the answer is the best possible out of the four yes. without entities, you cannot group alerts as required.
upvoted 4 times
Question #6 Topic 9
Introductory Info
Case study -

Overview -

computers that run
Azure Environment -
Current problems -
Planned Changes -



Question
HOTSPOT -
You need to create the analytics rule to meet the Azure Sentinel requirements.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#set-automated-responses-and-create-the-rule
  jaykrist Highly Voted  1 year, 8 months ago

Correct answers.
upvoted 8 times
  yoton Highly Voted  5 months, 1 week ago

Fusion rules are pre-built and cannot be custom.
None of the playbook options can be used except trigger so it must be trigger.
upvoted 5 times

Correct answer.
upvoted 3 times

SC-200 Exam - Free Actual Q&As, Page 1 - ExamTopics PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SC-200 Exam - Free Actual Q&As, Page 1 - ExamTopics PDF

Uploaded by

Copyright:

Available Formats

2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Question Set 1

  DigitalNomad Highly Voted  1 year, 4 months ago

This is the correct answer , I tested it .

  Xyz_40 5 months, 2 weeks ago

  stromnessian 1 year, 1 month ago

  pedromonteirozikado 1 year ago

  Startkabels 1 year, 4 months ago

  ReffG Highly Voted  1 year, 5 months ago

  altecer Most Recent  1 week, 1 day ago

  AJ2021 1 week, 5 days ago

  gyaansastra 1 month, 2 weeks ago

  Apocalypse03 2 months ago

| where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and

|s summarize LogonFailures=count () by DeviceName, LogonType

Here is a brief explanation of how this query works:

  EricChu 1 month, 3 weeks ago

  BhanuD 3 months ago

  arunrider 4 months, 1 week ago

  Pandaguo 10 months, 2 weeks ago

  oreoale 10 months, 4 weeks ago

  chaska 11 months ago

  Badr_j 11 months, 1 week ago

  pedromonteirozikado 1 year ago

  pedromonteirozikado 1 year ago

  stromnessian 1 year, 1 month ago

  Daigo 1 year, 3 months ago

What is the correct answer?

  AlaReAla 1 year, 4 months ago

B. Activity from anonymous IP addresses

C. Activity from infrequent country

Community vote distribution

  TheMCT Highly Voted  1 year, 10 months ago

  Startkabels 1 year, 4 months ago

  prabhjot 1 year, 1 month ago

  teehex Highly Voted  1 year, 9 months ago

  teehex 1 year, 9 months ago

  dandirindan 9 months, 2 weeks ago

  altecer Most Recent  1 week, 1 day ago

  CarlosE 1 week, 6 days ago

  emmanuelodenyire 2 weeks, 4 days ago

  simonseztech 6 months ago

  Pandaguo 10 months, 2 weeks ago

  Tx4free 11 months, 3 weeks ago

  ubt 1 year ago

  Minghon 1 year, 1 month ago

  airairo 1 year, 6 months ago

You are configuring Microsoft Cloud App Security.

  airairo 1 year, 7 months ago

  amsioso 4 months, 2 weeks ago

  ReffG 1 year, 5 months ago

  Justy 1 year, 6 months ago

  AYap 1 year, 6 months ago

  ANDRESCB1988 1 year, 7 months ago

  Domza 1 year, 8 months ago

  CAINBJJ 1 year, 8 months ago

  Task 1 year, 8 months ago

B. a hunting query in Microsoft 365 Defender

C. Azure Information Protection

D. RegEx pattern matching

Community vote distribution

2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics