Topic 3: Misc. Questions
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A.
Investigations
B.
Devices
C.
Evidence and Response
D.
Alerts
Evidence and Response
Explanation:
The Evidence and Response tab shows all the supported events and suspicious entities in
the alerts in the incident.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigateincidents
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to ensure that Security Center processes events from the Azure virtual machines
that report to workspace1.
What should you do?
A.
In workspace1, install a solution.
B.
In sub1, register a provider
C.
From Security Center, create a Workflow automation
D.
In workspace1, create a workbook
In workspace1, install a solution.
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a
storage account named storage1. You receive an alert that there was an unusually high
volume of delete operations on the blobs in storage1. You need to identify which blobs
were deleted. What should you review?
A.
the activity logs of storage1
B.
the Azure Storage Analytics logs
C.
the alert details
D.
the related entities of the alert
the activity logs of storage1
Explanation: To identify which blobs were deleted, you should review the activity logs of
the storage account. The activity logs contain information about all the operations that have
taken place in the storage account, including delete operations. These logs can be
accessed in the Azure portal by navigating to the storage account, selecting "Activity log"
under the "Monitoring" section, and filtering by the appropriate time range. You can also
use Azure Monitor and Log Analytics to query and analyze the activity logs data.
References:
https://docs.microsoft.com/en-us/azure/storage/common/storage-activity-logs
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-azurestorage
You need to receive a security alert when a user attempts to sign in from a location that
was never used by the other users in your organization to sign in.
Which anomaly detection policy should you use?
A.
Impossible travel
B.
Activity from anonymous IP addresses
C.
Activity from infrequent country
D.
Malware detection
Activity from infrequent country
Explanation:
Activity from a country/region that could indicate malicious activity. This policy profiles your
environment and triggers alerts when activity is detected from a location that was not
recently or was never visited by any user in the organization. Activity from the same user in
different locations within a time period that is shorter than the expected travel time between
the two locations. This can indicate a credential breach, however, it's also possible that the
user's actual location is masked, for example, by using a VPN.
You receive a security bulletin about a potential attack that uses an image file.
You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to
prevent the attack.
Which indicator type should you use?
A.
a URL/domain indicator that has Action set to Alert only
B.
a URL/domain indicator that has Action set to Alert and block
C.
a file hash indicator that has Action set to Alert and block
D.
a certificate indicator that has Action set to Alert and block
a file hash indicator that has Action set to Alert and block
You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block a user-specified range of IP addresses and
URLs.
What should you enable first in the advanced features from the Endpoints Settings in the
Microsoft 365 Defender portal?
A.
endpoint detection and response (EDR) in block mode
B.
custom network indicators
C.
web content filtering
D.
Live response for servers
endpoint detection and response (EDR) in block mode
You create an Azure subscription.
You enable Azure Defender for the subscription.
You need to use Azure Defender to protect on-premises computers.
What should you do on the on-premises computers?
A.
Install the Log Analytics agent
B.
Install the Dependency agent
C.
Configure the Hybrid Runbook Worker role
D.
Install the Connected Machine agent.
Install the Log Analytics agent
Explanation:
Security Center collects data from your Azure virtual machines (VMs), virtual machine
scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor
for security vulnerabilities and threats.
Data is collected using:
The Log Analytics agent, which reads various security-related configurations and event
logs from the machine and copies the data to your workspace for analysis. Examples of
such data are: operating system type and version, operating system logs (Windows event
logs), running processes, machine name, IP addresses, and logged in user.
Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also
provide data to Security Center regarding specialized resource types.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-datacollection
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
A.
Create a Microsoft incident creation rule
B.
Share the incident URL
C.
Create a scheduled query rule
D.
Assign the incident
Assign the incident
You have a custom Microsoft Sentinel workbook named Workbooks.
You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows.
What should you do?
A.
In the query editor interface, configure Settings
B.
In the query editor interface, select Advanced Editor
C.
In the grid query, include the project operator.
D.
In the grid query, include the take operator.
In the query editor interface, select Advanced Editor
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand
the Mitigate the threat section.
Does this meet the goal?
A.
Yes
B.
No
Yes
Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual
machine from a malicious IP address is detected.
Solution: You create a scheduled query rule for a data connector.
Does this meet the goal?
A.
Yes
B.
No
No
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from
SharePoint Online sites during the month before their accounts were deleted.
What should you use?
A.
a file policy in Microsoft Defender for Cloud Apps
B.
an access review policy
C.
an alert policy in Microsoft Defender for Office 365
D.
an insider risk policy
an alert policy in Microsoft Defender for Office 365
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to
all users in your organization, set a threshold level for when an alert is triggered, and
decide whether to receive email notifications when alerts are triggered.
Default alert policies include:
Unusual external user file activity - Generates an alert when an unusually large number of
activities are performed on files in SharePoint or OneDrive by users outside of your
organization. This includes activities such as accessing files, downloading files, and
deleting files. This policy has a High severity setting.
| Page 5 out of 13 Pages |
| Previous |