Your company uses Microsoft Sentinel
A new security analyst reports that she cannot assign and resolve incidents in Microsoft
Sentinel.
You need to ensure that the analyst can assign and resolve incidents. The solution must
use the principle of least privilege.
Which role should you assign to the analyst?

A.

Microsoft Sentinel Responder

B.

Logic App Contributor

C.

Microsoft Sentinel Reader

D.

Microsoft Sentinel Contributor

You have an Azure subscription that contains a Log Analytics workspace.
You need to enable just-in-time (JIT) VM access and network detections for Azure
resources.
Where should you enable Azure Defender?

A.

at the subscription level

B.

at the workspace level

C.

at the resource level

You need to visualize Azure Sentinel data and enrich the data by using third-party data
sources to identify indicators of compromise (IoC).
What should you use?

A.

notebooks in Azure Sentinel

B.

Microsoft Cloud App Security

C.

Azure Monitor

D.

hunting queries in Azure Sentinel

Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi-factor authentication
(MFA).
You need to enforce MFA for all users who work remotely.
What should you include in the solution?

A.

a fraud alert

B.

a user risk policy

C.

a named location

D.

a sign-in user policy

You have a suppression rule in Azure Security Center for 10 virtual machines that are used
for testing. The virtual machines run Windows Server.
You are troubleshooting an issue on the virtual machines.
In Security Center, you need to view the alerts generated by the virtual machines during
the last five days.
What should you do?

A.

Change the rule expiration date of the suppression rule.

B.

Change the state of the suppression rule to Disabled.

C.

Modify the filter for the Security alerts page.

D.

View the Windows event logs on the virtual machines.

You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is
linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate
an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365
subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious signins
to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.

A.

Create custom rule based on the Office 365 connector templates.

B.

Create a Microsoft incident creation rule based on Azure Security Center.

C.

Create a Microsoft Cloud App Security connector.

D.

Create an Azure AD Identity Protection connector.

You have the following environment:

Azure Sentinel
A Microsoft 365 subscription
Microsoft Defender for Identity
An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member
servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active
Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A.

Configure the Advanced Audit Policy Configuration settings for the domain controllers.

B.

Modify the permissions of the Domain Controllers organizational unit (OU).

C.

Configure auditing in the Microsoft 365 compliance center.

D.

Configure Windows Event Forwarding on the domain controllers.

You implement Safe Attachments policies in Microsoft Defender for Office 365.
Users report that email messages containing attachments take longer than expected to be
received.
You need to reduce the amount of time it takes to deliver messages that contain
attachments without compromising security. The attachments must be scanned for
malware, and any messages that contain malware must be blocked.
What should you configure in the Safe Attachments policies?

A.

Dynamic Delivery

B.

Replace

C.

Block and Enable redirect

D.

Monitor and Enable redirect

You have a playbook in Azure Sentinel.
When you trigger the playbook, it sends an email to a distribution group.
You need to modify the playbook to send the email to the owner of the resource instead of
the distribution group.
What should you do?

A.

Add a parameter and modify the trigger.

B.

Add a custom data connector and modify the trigger.

C.

Add a condition and modify the action.

D.

Add a parameter and modify the action.

You have a Microsoft Sentinel workspace named Workspaces
You need to exclude a built-in. source-specific Advanced Security Information Model
(ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?

A.

a workbook

B.

a hunting query

C.

a watchlist

D.

an analytic rule

You are investigating a potential attack that deploys a new ransomware strain.
You plan to perform automated actions on a group of highly valuable machines that contain
sensitive information.
You have three custom device groups.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the
solution. NOTE: Each correct selection is worth one point.

A.

Add a tag to the device group.

B.

Add the device users to the admin role.

C.

Add a tag to the machines.

D.

Create a new device group that has a rank of 1.

E.

Create a new admin role.

F.

Create a new device group that has a rank of 4.

You have an existing Azure logic app that is used to block Azure Active Directory (Azure
AD) users. The logic app is triggered manually.
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel. What should you
do first?

A.

And a new scheduled query rule.

B.

Add a data connector to Azure Sentinel

C.

Configure a custom Threat Intelligence connector in Azure Sentinel

D.

Modify the trigger in the logic app.