71 Questions
What should you use to visualize Microsoft Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC)?
Notebooks in Microsoft Sentinel
From the Microsoft Defender for Endpoint portal, what should you do first to investigate a Defender for Endpoint agent alert on a macOS device?
From Devices, click Collect investigation package for the device
What should you do to ensure that a third-party Security Information and Event Management (SIEM) solution can generate alerts for Azure Active Directory sign-in events in near real time?
Configure the Diagnostics settings in Azure AD to stream to an event hub
What should you do in the Azure portal to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level with minimal administrative effort?
Modify the alert settings in Defender for Cloud
What should you create first to ensure that an Azure logic app launches when Microsoft Sentinel detects an Azure AD-generated alert?
an automation rule
What should you configure to monitor 100 Linux virtual machines in an Azure Sentinel workspace with minimal administrative effort and minimized parsing required?
a Common Event Format (CEF) connector
To ensure that Microsoft Sentinel automatically detects a new threat detected by a hunting query with minimal administrative effort, what should you do?
Create an analytics rule
How can you prevent additional failed sign-in alerts from being generated for an account while ensuring that alerts are generated for other accounts and minimizing administrative effort?
Modify the analytics rule
What should you do to ensure that a grid in a Microsoft Sentinel workbook contains a maximum of 100 rows?
In the grid query, include the take operator
What should you do first to make 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema available in a Microsoft Sentinel workspace with minimal administrative effort?
Create a YAML file based on the DNS template
Which page in the Azure portal should you use to view all the incidents from 50 Microsoft Sentinel workspaces on a single page with minimal administrative effort?
Microsoft Sentinel - Incidents
To ensure that a Microsoft Defender XDR custom deception rule is applied to only 10 specific devices in a Microsoft 365 subscription using Microsoft Defender for Endpoint Plan 2 with 500 Windows devices, what should you do first?
Add custom lures to the rule
Which entity can be labeled as an indicator of compromise (IoC) directly from an incident's page associated with Host, IP address, User account, and Malware name?
IP address
What should you do first to reduce the potential of Key Vault secrets being leaked from multiple suspicious IP addresses, while minimizing the impact on legitimate users?
Enable the Key Vault firewall
What should you do to view recommendations to resolve a security alert in Azure Security Center?
From Security alerts, select Take Action, and then expand the Mitigate the threat section
What should you do to view the alerts generated by virtual machines in Security Center during the last five days?
Change the state of the suppression rule to Disabled
What should you do first to monitor Linux virtual machines on Amazon Web Services using Azure Defender?
Enable Azure Arc and onboard the virtual machines to Azure Arc
What should you install first on 10 virtual machines used for testing to protect them using Microsoft Defender for Cloud?
The Azure Connected Machine agent
What should you first install on a virtual machine running Windows Server 2022 in AWS to enable log collection and vulnerability resolution using Defender for Cloud?
The Azure Arc agent
How can you identify which blobs were deleted after an alert of high volume delete operations on blobs in a storage account in Microsoft Defender for Cloud?
Review the Azure Storage Analytics logs
What should you do first to simulate an attack that will generate an alert on a virtual machine running Windows 10 with the Log Analytics agent installed?
Copy an executable and rename the file as ASC_AlertTest_662jfi039N.exe
Which role should you assign to a user to modify security policies in Microsoft Defender for Cloud using the principle of least privilege?
Security Admin
What should you use to identify if the identity of a user with an Azure Active Directory Premium Plan 2 license was compromised within the last 90 days in Microsoft Defender for Cloud?
The risk detections report
What should you do first to use an existing logic app as a playbook in Azure Sentinel after deploying Azure Sentinel?
Modify the trigger in the logic app
What should you do to ensure that a default Fusion rule in Azure Sentinel generates alerts?
Add data connectors
What should you use to create an automated threat response in Azure Sentinel?
A playbook
What should you use to create a custom report for visualizing sign-in information over time in Microsoft Sentinel?
A workbook
What should you create in a Microsoft Sentinel workspace to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser?
A watchlist
Which entities can be investigated using User and Entity Behavior Analytics (UEBA) in Azure AD based on the given entities detected?
App name, computer name, IP address, email address, and used client app only
What should you use to configure the collection of Windows Security event logs for ingestion to a Microsoft Sentinel workspace to capture a user audit trail and minimize event volume?
Unified Data Collector connector
Which event set should you select to minimize administrative effort?
Common
What should you do first to enrich Cloud Discovery data with user principal names?
Create a Microsoft 365 app connector.
What should you do first to identify unmanaged on-premises devices in Microsoft Defender 365?
Set Discovery mode to Basic.
What should you install first on Server1 to collect logs and resolve vulnerabilities using Defender for Cloud?
the Azure Connected Machine agent
What should you do first to assign the PCI DSS 4.0 initiative to an Azure subscription using Defender for Cloud?
Enable the Cloud Security Posture Management (CSPM) plan for the subscription.
What should you configure in the Safe Attachments policies to reduce the amount of time it takes to deliver messages that contain attachments without compromising security?
Dynamic Delivery
To what should you set the detection frequency for the Microsoft Defender XDR custom detection rule?
Every 24 hours
What should you do first from the live response session to run a digitally signed PowerShell script?
Upload Script1.ps1 to the library.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
the Threat Protection Status report in Microsoft Defender for Office 365
What should you use to identify all the changes made to Domain Admins group during the past 30 days?
the Modifications of sensitive groups report in Microsoft Defender for Identity
What should you do in the Microsoft 365 Defender portal to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63 with minimal administrative effort?
Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal to allow or block a user-specified range of IP addresses and URLs?
custom network indicators
Which role should you assign to User1 to customize Microsoft Sentinel workbook templates?
Workbook Contributor
Which anomaly detection policy should you use to receive a security alert for activity from infrequent countries?
Activity from infrequent country
What should you use in the Microsoft 365 Defender portal to allow or block a user-specified range of IP addresses and URLs?
custom network indicators
What should you use to detect sensitive documents with customer account numbers in SharePoint Online?
RegEx pattern matching
What should you use in the Microsoft 365 Defender portal to identify devices that triggered a malware alert and collect evidence for possible device isolation?
Advanced hunting
What should you do in the Microsoft 365 Defender portal to allow or block a user-specified range of IP addresses and URLs?
custom network indicators
Which indicator type should you use in Microsoft Defender for Endpoint to prevent an attack using an image file?
a file hash indicator that has Action set to Alert and block
What should be included in the solution to enforce MFA for all remote working users?
a named location
How can you prevent Server1 from being scanned after enabling agentless scanning in Microsoft Defender for Endpoint while minimizing administrative effort?
Create an exclusion tag.
What should you do on the on-premises computers to use Azure Defender after enabling it for the Azure subscription?
Install the Log Analytics agent.
What should you use to be notified if deleted users downloaded numerous documents from SharePoint Online before their accounts were deleted?
an insider risk policy
How can you identify all the changes made to sensitivity labels in the past seven days in Microsoft 365 Defender?
Activity explorer in the Microsoft 365 compliance center
What should you configure in the Security Center settings to ensure that a security administrator receives email alerts for all activities including antimalware action failed and suspicious network activity?
the severity level of email notifications
In Microsoft 365 Defender, which tab should you use to identify all the entities affected by an incident?
Evidence and Response
What JSON key should you search to locate alerts indicating the use of the Privilege Escalation MITRE ATT&CK tactic in Azure Sentinel?
Description
What should you do first to initiate remote shell connections to Windows 10 devices from the Microsoft 365 Defender portal?
Configure role-based access control (RBAC)
What should you install on an Amazon EC2 instance to onboard it to Defender for Cloud?
the Log Analytics agent
Which response action should you use to collect investigation packages from Linux devices in Microsoft Defender 365?
Initiate Live Response Session
Where should you enable Azure Defender to protect on-premises computers after enabling it for an Azure subscription?
at the subscription level
How can you modify an Azure Sentinel playbook to send an email to the resource owner instead of a distribution group?
Add an alert and modify the action
Which built-in role should you assign to a security analyst in Azure Sentinel to allow editing queries of custom Azure Sentinel workbooks following the principle of least privilege?
Azure Sentinel Contributor
From where can you run a playbook test manually in Azure Sentinel?
Incidents
What should you do in Azure Sentinel to create an incident when a sign-in to an Azure virtual machine from a malicious IP address is detected?
You create a Microsoft incident creation rule for a data connector.
What should you use to visualize Azure Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC)?
notebooks in Azure Sentinel
Which rule type should you query in Azure Sentinel to detect advanced multistage attacks comprising two or more alerts or activities with minimal administrative effort?
Fusion
What should you do in a Microsoft Sentinel workspace to customize the details included when an alert is created for a specific event reported by Azure virtual machines?
Modify the alert rule settings.
What role should you assign to a security analyst in Azure Sentinel to ensure they can assign and resolve incidents following the principle of least privilege?
Azure Sentinel Responder
Your on-premises network contains an Active Directory Domain Services (AD DS) forest.
You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.
You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.
Which table should you query?
IdentityLogonEvents
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription.
From the Microsoft 365 Defender portal, which page should you use to create the query?
Advanced Hunting
Study Notes
Microsoft Defender for Identity
- Configure accounts for attackers to exploit by adding them as Honeytoken accounts from Entity tags
- Does not meet the goal: configuring sign-in risk policy from Azure AD Identity Protection
- Does not meet the goal: adding accounts to an Active Directory group and adding the group as a Sensitive group
Microsoft Defender for Office 365
- Implement Safe Attachments policies to reduce delivery time of email messages with attachments
- Configure Dynamic Delivery to scan attachments for malware and block messages that contain malware
Microsoft Defender for Endpoint
- Identify devices that triggered a malware alert and collect evidence using Advanced hunting
- Reduce administrative effort by adding threat indicators for IP addresses in a range using an import file
- Enable custom network indicators in Advanced features to allow or block user-specified IP addresses and URLs
- Mark a file as safe and remove it from quarantine on devices using the History tab in the Action center
- Prevent Server1 from being scanned by creating an exclusion tag
Azure Security Center
- View recommendations to resolve a security alert by selecting Take Action and expanding the Mitigate the threat section
- Configure Azure Defender for Key Vault to mitigate threats by configuring Key Vault firewalls and virtual networks
Azure Defender
- Enable Azure Defender at the subscription level to protect on-premises computers
- Install the Log Analytics agent on on-premises computers
- Enable Azure Defender for Servers to collect security event logs from Azure virtual machines
Azure Sentinel
- Create a Microsoft incident creation rule for a data connector to create an incident in Azure Sentinel
- Use notebooks to visualize Azure Sentinel data and enrich it with third-party data sources to identify indicators of compromise
- Assign the Azure Sentinel Responder role to a security analyst to ensure they can assign and resolve incidents
- Use a Fusion rule to detect advanced multistage attacks
- Modify the properties of a connector to customize the details included in an alert
Microsoft 365 Defender
- Assign the Security Administrator role to a user to ensure they can manage Microsoft Defender XDR custom detection rules and Endpoint security policies
- Stream Microsoft Graph activity logs to a third-party SIEM tool using an Azure Event Hubs namespace
- Use the Alerts investigation permission to ensure a user can configure alerts that send email notifications to a group
Microsoft Defender for Endpoint Plan 2
- Investigate a Defender for Endpoint agent alert on a device by collecting an investigation package and performing Get & Transform Data operations
- Use the SeenBy() function to create a hunting query that identifies discovered network devices and returns the identity of the onboarded device that discovered each network device### Microsoft Defender for Identity
- Configure integration with Active Directory from the Microsoft Defender for Identity portal by adding each account as a Sensitive account.
Microsoft Defender for Endpoint
- Mitigate device threats, such as Microsoft Excel macros, users opening executable attachments, and Outlook rules and forms exploits, by using attack surface reduction rules.
Azure Sentinel
- Generate alerts for Azure Active Directory (Azure AD) sign-in events in near real-time by configuring the Diagnostics settings in Azure AD to stream to an event hub.
- Create a custom tracked query to assess the threat status of a subscription from the Advanced Hunting page in the Microsoft 365 Defender portal.
- Identify vulnerable resources in the subscription by using the Threat analytics blade in the Microsoft 365 Defender portal.
- Use the KQL query
(c:c)(Project1)(date=2023-02-01..2023-02-10)to identify files stored on a team site between specific dates.
Azure Security Center
- View recommendations to resolve an alert in Security Center by selecting the alert, taking action, and expanding the Prevent future attacks section.
- Reduce the potential of Key Vault secrets being leaked by enabling the Key Vault firewall.
- View alerts generated by virtual machines during a specific time period by changing the rule expiration date of the suppression rule.
Linux Virtual Machines
- Monitor Linux virtual machines on Amazon Web Services (AWS) by enabling Azure Arc and onboarding the virtual machines to Azure Arc.
- Install the Azure Connected Machine agent on the virtual machines to use Azure Defender.
Defender for Cloud
- Protect on-premises Linux servers by installing the Azure Connected Machine agent on the servers.
- Collect logs and resolve vulnerabilities for a virtual machine by installing the Azure Arc agent on the virtual machine.
- Identify deleted blobs by reviewing the Azure Storage Analytics logs.
Azure Subscription
- Simulate an attack on a virtual machine by copying and renaming an executable file.
- Ensure a user can modify Microsoft Defender for Cloud security policies by assigning the Security Admin role.
Azure Active Directory
- Identify whether a user's identity was compromised during the last 90 days by using the risk detections report.
- Assign the Security operator role to a user to ensure they can modify Microsoft Defender for Cloud security policies.
Azure Logic App
- Use an existing Azure logic app as a playbook in Azure Sentinel by modifying the trigger in the logic app.
Automated Threat Response
- Create an automated threat response by using a playbook.
Incident Creation
- Create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected by creating a scheduled query rule.
Azure Sentinel Query
- Create a custom Azure Sentinel query to track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day by including the
binfunction in the query.
User and Entity Behavior Analytics (UEBA)
- Investigate entities, such as app name, computer name, IP address, email address, and used client app, by using UEBA.
Microsoft Sentinel Workspace
- Enrich Cloud Discovery data by creating a Microsoft 365 app connector.
Microsoft Defender 365
- Identify unmanaged on-premises devices by setting Discovery mode to Basic.
Compliance
- Assign the PCI DSS 4.0 initiative to a subscription and have it displayed in the Defender for Cloud Regulatory compliance dashboard by enabling the Cloud Security Posture Management (CSPM) plan.
Microsoft Defender XDR
- Create a custom detection rule to identify compromised devices and establish a pattern of communication by setting the detection frequency to every 24 hours.
Live Response Session
- Run a PowerShell script in a live response session on a device by uploading the script to the library.### Microsoft Defender and Microsoft Sentinel
- In Microsoft Defender, when exporting audit search results as a CSV file, increasing the number of returned records and then re-exporting can help Excel generate columns for specific JSON properties.
- In Microsoft Excel, applying filters to existing columns in the CSV file and then performing Get & Transform Data operations may not help parse the AuditData column correctly.
Hunting Queries and Azure Active Directory
- To identify LDAP simple binds to Active Directory Domain Services (AD DS) domain controllers, query the IdentityLogonEvents table.
- To create a hunting query that identifies LDAP simple binds, use the IdentityLogonEvents table.
Microsoft Sentinel Roles and Permissions
- To deploy and customize Microsoft Sentinel workbook templates, assign the Workbook Contributor role to the user.
- To ensure least privilege, assign the Workbook Contributor role to User1 for RG1.
Anomaly Detection and Data Loss Prevention
- To receive a security alert when a user signs in from a location never used by other users in the organization, use the "Activity from infrequent country" anomaly detection policy.
- To detect sensitive documents containing customer account numbers, use RegEx pattern matching in Microsoft Defender for Office 365.
Indicators of Compromise and Conditional Access
- To prevent an attack using an image file, create a file hash indicator of compromise (IoC) in Microsoft Defender for Endpoint with Action set to Alert and block.
- To enforce multi-factor authentication (MFA) for all users who work remotely, include a named location in the solution.
Alerts and Incident Response
- To identify all changes made to sensitivity labels during the past seven days, use the Activity explorer in the Microsoft 365 compliance center.
- To identify all entities affected by an incident, use the Evidence and Response tab in the Microsoft 365 Defender portal.
Onboarding Devices and Remote Shell Connections
- To initiate remote shell connections to onboarded devices, configure role-based access control (RBAC) first.
- To collect investigation packages from onboarded devices, use the "Initiate Live Response Session" response action.
Azure Sentinel Workspaces and Playbooks
- To test a playbook manually in the Azure portal, run the test from the Incidents blade.
- To modify a playbook to send an email to the owner of the resource instead of a distribution group, add an alert and modify the action.
Analytics Rules and Alert Suppression
- A possible cause of an analytics rule stopping is a change in permissions to one of the data sources of the rule query.
- To suppress specific Defender for Cloud security alerts at the root management group level, modify the alert settings in Defender for Cloud.
Microsoft Sentinel and Azure Logic Apps
- To ensure that a logic app launches when Microsoft Sentinel detects an Azure AD-generated alert, create an automation rule first.
- To monitor Linux virtual machines using Microsoft Sentinel, configure a Common Event Format (CEF) connector.
Hunting Queries and Analytics Rules
- To automatically detect a new threat by using a hunting query, create an analytics rule.
- To prevent additional failed sign-in alerts from being generated for an account, modify the analytics rule.
Quiz on Microsoft Sentinel, including data collection, visualization, and security features.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
