Practice Questions Flashcards
(50 cards)
You have a Microsoft 365 E5 subscription.
You plan to deploy a Microsoft Defender for Endpoint to meet the following requirements:
- Block executable content from mail messages.
- Block unsigned processes that run from USB drives.
Which Defender for Endpoint capability should you choose?
Attack surface reduction
-Provides rules to target certain software behavior, such as launching executable files and scripts and running unsigned processes.
You have a M365 E5 subscription that uses MS Defender for Cloud.
You have a VM named Server1 that runs Windows Server and is hosted in AWS.
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
What should you install on Server1?
The Azure Connected Machine agent
You have an Azure subscription that contains 50 VMs that run Windows Server. The VMs are onboarded to MS Defender for Cloud.
You need to identify the VMs that are missing updates and have Windows Firewall disabled.
What should you configure?
Data collection
You have an Azure subscription that contains five VMs onboarded to MS Defender for Cloud.
You need to reduce the amount of data that is sent to a Log Analytics workspace.
What should you configure?
Data collection
You have an Azure subscription that uses MS Defender for Cloud.
You have an AWS account.
You need to ensure that you can use MS Defender for Cloud to assess the resources in the AWS account.
Which blade in the MS Defender for Cloud portal should you use to configure the AWS connector?
Environment settings
-Allow you to add environments, including AWS and Google Cloud Platform (GCP) environments.
You have the following cloud environment:
-An Azure subscription that uses MS Defender for Cloud
-A M365 tenant
-An AWS account
-A Google Cloud Platform (GCP) project
You need to ensure that you can use Defender for Cloud to perform Cloud Security Posture Management (CSPM) for the environments.
Which environments will require that a connector be deployed?
AWS and GCP
-Defender for Cloud can protect hybrid workloads, including on-premises, AWS, and GCP, but a connector must be deployed for an AWS account or a GCP project.
You have a SOC and a MS Sentinel workspace.
You need to ensure that Tier 1 SOC analysts can manage incidents in MS Sentinel by running preconfigured playbooks. The solution must meet the following requirements:
- Prevent analysts from making changes to playbooks or the MS Sentinel workspace.
- Follow the principle of least privilege.
Which role or roles should you assign to the analysts?
MS Sentinel Responder and Logic App Operator
- Sentinel Responder allows you to view data, incidents, workbooks, and other MS Sentinel resources.
- Logic App Operator lets you read, enable, and disable logic apps, but not edit or update them.
You have an Azure subscription that uses MS Sentinel.
You create a user named Admin1.
You need to ensure that Admin1 can add playbooks in MS Sentinel. The solution must follow the principle of least privilege.
Which role should you assign to Admin1?
MS Sentinel Automation Contributor
Your on-premises network contains multiple devices that provide logs in Comment Event Format (CEF).
You have an Azure subscription and a MS Sentinel workspace named Workspace1.
You need to ingest the logs from the devices into Workspace1.
What should you do first?
Deploy a computer that runs Linux
-To ingest Syslog and CEF logs into MS Sentinel, particularly from devices and appliance onto which you cannot install the Log Analytics agent directly, you must designate and configure a Linux machine that will collect the logs from your devices and forward them to your MS Sentinel workspace. This machine can be a physical or VM in your on-premises environment, an Azure VM, or a VM in another cloud.
You are implementing MS Sentinel.
You add a MS Entra ID Protection data connector to MS Sentinel.
You need to verify whether data is ingested from the connector.
Which table should you query?
SecurityAlert
-When you add a Microsoft Entra ID data connector in MS Sentinel, it stores ingested data to the SecurityAlert table in a Log Analytics workspace.
You have a MS Sentinel workspace.
You plan to deploy a Syslog data connector in MS Sentinel.
You download an agent to a computer that runs Linux.
You need to onboard the agent to MS Sentinel.
What information do you need?
The MS Sentinel workspace ID and the workspace secondary key
-Syslog is an event logging protocol that is common to Linux. You can use the Syslog daemon built into Linux devices and appliances to collect local events of the types you specify and have it sent those events to MS Sentinel by using the Log Analytics agent for Linux.
-During installation of the agent, you must provide the workspace ID and the primary or secondary key of the workspace to install the agent.
You have a MS Sentinel workspace.
You need to enable User and Entity Behavior Analytics (UEBA) in MS Sentinel.
Which two data sources support the use of UEBA?
Azure Activity
Security Events
You have a M365 E5 subscription.
You plan to create a MS Defender XDR hunting query to identify users that have been affected by clicking a suspicious URL.
You need to create a detection rule that will mark the user as compromised.
Which two properties should you include in the rule?
AccountUpn
ReportId
You have a M365 E5 subscription.
You are using MS Defender portal.
You needed to create a custom detection rule by using a hunting query.
Which two columns should the query return?
ReportId
Timestamp
You have a MS Sentinel workspace.
You need to create a livestream session in MS Sentinel.
Which MS Sentinel resource can you add to the livestream?
Hunting query
-You can use livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session by using any Log Analytics query. You can create a livestream session from an existing hunting query or create your session from scratch.
You have a MS Sentinel workspace.
You have the following hunting query:
SigninLogs
| where TimeGenerated > ago(7d)
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = tostring(Status.failureReason)
| where ErrorCode in (“50053”, “50079”)
| project UserPrincipalName, IPAddress, AppDisplayName, [‘Error Code’] = ErrorCode, [‘Reason’]= FailureReason
You run the query and select results to add as a bookmark.
Which projected column does NOT map to an entity?
Reason
-Does not have an appropriate entity mapping when creating a hunting query.
You have a MS Sentinel workspace.
You have the following query:
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4625
| summarize count() by TargetAccount
You need to use the query as a hunting query. The solution must generate result deltas.
What should you do?
Remove “where TimeGenerated > ago(7d)
-Delta values for hunting queries cannot be calculate for queries with hard-coded time filters. The time filter should be removed.
You have a M365 E5 subscription and a MS Sentinel workspace.
You create a custom query named Query1.
You need to test the Query1 against events as they occur in the subscription.
What should you use?
Livestream
-You can use a hunting livestream to test queries against live events as they occur. Livestream provides interactive sessions that can notify you when MS Sentinel finds matching events for your query.
-A livestream is always based on a query. Typically, you use the query to narrow down streaming log events, so only the events that are related to your threat hunting efforts appear. You can use a livestream to:
—Test new queries against live events
—Generate notifications for threats
—Launch investigations
You have an Azure subscription that uses MS Sentinel.
You need to create a report that will visualize alert information over time.
What should you create first?
Workbook
You have a MS Sentinel workspace that has a MS Entra ID data connector.
You need to create a report that visualizes sign-in information over time.
What should you use?
Workbook
-Once you have connected data sources to MS Sentinel, you can visualize and monitor the data by using MS Sentinel workbooks, which provide versatility in creating custom dashboards.
You have a MS Sentinel workspace.
You plan to add a workbook to MS Sentinel.
You create a workbook query.
You need to display the query results in a time chart.
Which keyword should you include in the query?
Render
-In KQL, the render keyword renders results as a graphical output.
-Other keywords do not provide graphical result and have the following functions:
Print: outputs a single row with one or more scalar expressions
Project: selects the columns to include in the order specified
Extend: creates a calculated column and adds it to the result set
Summarize: groups the rows according to the by group columns and calculates aggregations over each group
You have a SOC and a MS Sentinel workspace.
You plan to provide the SOC manager with a MS Sentinel workbook that includes the following metrics:
-Incident created over time
-Mean time to triage
You need to create the workbook by using a template. The solution must minimize administrative effort.
Which template should you use?
Security operations efficiency
-You can use the Security Operations efficiency workbook template to monitor SOC operations. The workbook contains many metrics, including incidents created over time and mean time to triage. These metrics are unavailable in other workbook templates, so you will minimize administrative effort if you use the Security Operations efficiency workbook template.
You have a M365 E5 subscription that includes a user named User1.
You need to ensure all emails sent to User1, including malicious email, is excluded from filtering by MS Defender for Office 365.
What should you configure?
SecOps mailbox
-Dedicated mailbox that is used by security teams to collect and analyze unfiltered messages. Filters in the EOP and Defender for Office 365 take no action on email messages sent to a SecOps mailbox.
You have a M365 E5 subscription that uses MS Defender for Cloud Apps.
You need to create a Defender for Cloud Apps policy that will generate alerts based on a trainable classifier.
Which type of policy should you create?
File Policy
-allow you to enforce a wide range of automated processes by using the cloud provider’s APIs. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and many more use cases. Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters, such as access level, file type, and trainable classifiers.
