Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for
attackers to exploit. 
Solution: From Entity tags, you add the accounts as Honeytoken accounts.
Does this meet the goal?

A.

Yes

B.

No

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The
documents contain customer account numbers that each consists of 32 alphanumeric
characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?

A.

SharePoint search

B.

a hunting query in Microsoft 365 Defender

C.

Azure Information Protection

D.

RegEx pattern matching

Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
Does this meet the goal?

A.

Yes

B.

No

Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual
machine from a malicious IP address is detected.
Solution: You create a livestream from a query.
Does this meet the goal?

A.

Yes

B.

No

Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual
machine from a malicious IP address is detected.
Solution: You create a hunting bookmark.
Does this meet the goal?

A.

Yes

B.

No

You have an Azure Sentinel deployment in the East US Azure region.
You create a Log Analytics workspace named LogsWest in the West US Azure region.
You need to ensure that you can use scheduled analytics rules in the existing Azure
Sentinel deployment to generate alerts based on queries to LogsWest.
What should you do first?

A.

Deploy Azure Data Catalog to the West US Azure region.

B.

Modify the workspace settings of the existing Azure Sentinel deployment

C.

Add Microsoft Sentinel to a workspace.

D.

Create a data connector in Azure Sentinel.

You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and
remediate the security threats detected by Microsoft Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A.

Microsoft Sentinel bookmarks

B.

Azure Automation runbooks

C.

Microsoft Sentinel automation rules

D.

Microsoft Sentinel playbooks

E.

Azure Functions apps

You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever an incident
representing a sign-in risk event is activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents
part of the solution.
NOTE: Each correct selection is worth one point.

A.

Enable Entity behavior analytics.

B.

Associate a playbook to the analytics rule that triggered the incident

C.

Enable the Fusion rule

D.

Add a playbook

E.

Create a workbook

You have a custom analytics rule to detect threats in Azure Sentinel.
You discover that the analytics rule stopped running. The rule was disabled, and the rule
name has a prefix of AUTO DISABLED.
What is a possible cause of the issue?

A.

There are connectivity issues between the data sources and Log Analytics.

B.

The number of alerts exceeded 10,000 within two minutes.

C.

The rule query takes too long to run and times out.

D.

Permissions to one of the data sources of the rule query were modified

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a
storage account named storage1. You receive an alert that there was an unusually high
volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted.
What should you review?

A.

the Azure Storage Analytics logs

B.

the activity logs of storage1

C.

the alert details

D.

the related entities of the alert

You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom report that will visualise sign-in information over time.
What should you create first?

A.

a workbook

B.

a hunting query

C.

a notebook

D.

a playbook

You recently deployed Azure Sentinel.
You discover that the default Fusion rule does not generate any alerts. You verify that the
rule is enabled.
You need to ensure that the Fusion rule can generate alerts.
What should you do?

A.

Disable, and then enable the rule.

B.

Add data connectors

C.

Create a new machine learning analytics rule

D.

Add a hunting bookmark.