Practice AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions with full explanations on every answer.
Start practicing
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?
2An organization uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that several VMs are not receiving vulnerability assessment findings, even though they are in a scope where the integrated Qualys VA solution is enabled. What should they verify first?
3A security analyst needs to create a custom alert in Microsoft Defender for Cloud that triggers when a user creates a public IP address in the 'production' resource group. Which type of alert should they use?
4Your company uses Microsoft Sentinel to monitor security events. You need to detect brute-force attacks against Azure VMs that are not yet onboarded to Sentinel. What should you do?
5A security team uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. They notice that some controls are marked as 'N/A' even though they have relevant resources. What is the most likely reason?
6You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory. Which two data connectors are necessary to collect sign-in logs and audit logs?
7An organization uses Microsoft Defender for Cloud to protect Azure SQL databases. They want to receive alerts when a SQL database is accessed from a suspicious location. What should they enable?
8Your company uses Microsoft Sentinel to correlate data from multiple sources. You need to create an analytics rule that triggers an incident when a user signs in from an unfamiliar location and then performs a high-risk action in Azure. What is the best approach?
9A security analyst needs to view all incidents generated by Microsoft Defender for Cloud across multiple subscriptions in a single pane of glass. What should they use?
10You need to ensure that Microsoft Sentinel can detect threats across your Azure environment, including virtual machines, network traffic, and user activities. Which TWO data sources should you connect?
11A company uses Microsoft Defender for Cloud's workload protection for Azure Storage. They want to receive alerts when there is suspicious access to blob storage. Which TWO features should they enable?
12You are deploying Microsoft Sentinel in a new Azure environment. Which THREE resources are required to deploy a Sentinel workspace?
13Refer to the exhibit. You are assigning this Azure Policy to a management group. The goal is to automatically deploy the Azure Monitor Agent to Windows VMs that do not have it. However, after assignment, you notice that the policy is not deploying the agent. What is the most likely reason?
14Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?
15Refer to the exhibit. This is an excerpt from an Azure Policy assignment. What is the effect of the 'notScopes' property?
16Your organization uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions have the 'Auto-provisioning' extension enabled for Log Analytics agent on new VMs. What should you configure?
17Your company has a hybrid environment with on-premises servers and Azure VMs. All resources are onboarded to Microsoft Defender for Cloud. You need to receive alerts when a critical vulnerability is detected on any server. The security team wants to minimize false positives. What should you configure?
18A security analyst reports that Microsoft Sentinel is not receiving Windows Security Events from Azure VMs that have the Log Analytics agent installed. The agent shows as connected, and other data sources (e.g., performance counters) are flowing. What is the most likely cause?
19Your organization uses Microsoft Defender for Cloud to assess regulatory compliance. You need to ensure that the compliance dashboard reflects the latest standards and that custom assessments are included. What should you do?
20You are investigating a security incident in Microsoft Sentinel. A KQL query returns results indicating that a user logged in from an IP address that is not in the organization's approved list. The user's account has been compromised. You need to automatically disable the user account in Microsoft Entra ID when such an alert is triggered. What should you configure?
21Your organization is using Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for all existing and future Azure SQL databases in a subscription. The solution must minimize administrative effort. What should you do?
22Your company has multiple Azure subscriptions. You need to centralize security alerts and incidents in a single dashboard for the security operations center (SOC) team. The solution should provide advanced analytics and threat detection. Which service should you use?
23You are configuring Microsoft Defender for Cloud's continuous export feature. You need to export security alerts and recommendations to a Log Analytics workspace for long-term retention and custom analysis. The export should include only high-severity alerts and recommendations. What should you do?
24You are reviewing the Azure Policy definition shown in the exhibit. This policy is assigned to a subscription. Several VMs are non-compliant. What is the most likely reason for the non-compliance?
25Your organization uses Microsoft Defender for Cloud to monitor Azure resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources. Which TWO options can you use to achieve this?
26You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that all security logs be retained for at least seven years for compliance. The solution must be cost-effective. Which THREE actions should you take?
27Your company uses Microsoft Defender for Cloud to protect Azure resources. You need to enable the enhanced security features (formerly Azure Defender) for all supported resource types. Which TWO plans should you enable? (Choose TWO that apply.)
28You execute the KQL query shown in the exhibit in Microsoft Sentinel. The query returns no results, but you know there have been high-severity malware alerts in the past week. What is the most likely issue?
29You run the PowerShell command shown in the exhibit. After execution, you check the Log Analytics workspace in the Azure portal. The workspace is created successfully. However, when you try to onboard the workspace to Microsoft Sentinel, you receive an error that Sentinel cannot be enabled on this workspace. What is the most likely cause?
30You deploy the Bicep template shown in the exhibit. After deployment, you check Microsoft Sentinel and find it is not enabled. The Log Analytics workspace and Defender for Cloud pricing plan are created successfully. What is the most likely reason Sentinel is not enabled?
31Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team receives an alert about a critical vulnerability in an Azure VM that was remediated two weeks ago. What is the most likely reason the alert is still active?
32A security engineer configures a Microsoft Sentinel analytics rule to detect anomalous sign-ins from unfamiliar locations. The rule uses the following KQL query: SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelDuringSignIn == 'high' | summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h). After enabling the rule, no alerts are generated even though the team expects many. What is the most likely cause?
33You need to ensure that all Azure storage accounts in your subscription are encrypted at rest using customer-managed keys (CMK). Which Azure Policy initiative should you assign to audit compliance?
34Your organization uses Microsoft Sentinel to monitor for ransomware attacks. You need to create a custom analytics rule that detects when a large number of files are encrypted within a short time window. Which KQL query should you use as the rule logic?
35A security administrator needs to enable just-in-time (JIT) VM access for all Azure VMs in a subscription using Microsoft Defender for Cloud. What are the minimum permissions required to enable JIT on the VMs?
36Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. After assigning the PCI DSS v4.0 initiative, several controls show as 'Not started' even though your resources are compliant. What is the most likely cause?
37Which TWO actions can be performed using Microsoft Defender for Cloud's security alerts? (Choose two.)
38Which THREE are valid data connectors in Microsoft Sentinel? (Choose three.)
39Which TWO features are available in Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) capabilities? (Choose two.)
40Refer to the exhibit. You assign this Azure Policy definition to a subscription containing a storage account that uses Microsoft-managed keys. What is the compliance state of the storage account?
41Refer to the exhibit. You assign this policy to a subscription that already has a security contact configured with email 'admin@contoso.com'. What will be the outcome?
42Refer to the exhibit. A Microsoft Sentinel analytics rule uses this KQL query. What is the primary purpose of this rule?
43Your company, Contoso Ltd., has a hybrid environment with 500 on-premises Windows servers and 200 Azure VMs. The Azure VMs are spread across multiple subscriptions. You need to implement a centralized security monitoring solution using Microsoft Sentinel. The requirements are: - Collect security events from all on-premises servers. - Collect Azure activity logs and VM logs from all Azure subscriptions. - Detect and respond to threats using built-in and custom analytics. - Automatically remediate common threats such as disabling compromised user accounts. - Ensure compliance with regulatory standards (e.g., NIST 800-53). - Minimize administrative overhead and cost. What should you do?
44Which THREE are valid ways to ingest data into Microsoft Sentinel? (Choose three.)
45You need to ensure that Microsoft Defender for Cloud automatically provisions the Log Analytics agent (AMA) on all new Azure VMs in a subscription. What should you configure?
46Your company uses Microsoft Defender for Cloud to secure its Azure resources. The security team receives alerts about a potential brute-force attack on a Linux virtual machine. You need to verify whether the attack was successful and take immediate remediation actions. Which two Defender for Cloud features should you use together?
47You are a security analyst using Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from the same IP address within 5 minutes. The rule should use a KQL query. Which query should you use?
48Your organization has multiple Azure subscriptions managed by Microsoft Defender for Cloud. You need to ensure that all subscriptions have the same security policies applied, and that any new subscription automatically inherits these policies. What should you do?
49You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You need to collect sign-in logs and audit logs. Which data connector should you enable?
50Your company uses Microsoft Defender for Cloud to protect Azure resources. You notice that some Azure VMs are not showing any security recommendations. You verify that the VMs are running and have network connectivity. What is the most likely cause?
51You are investigating a security incident in Microsoft Sentinel. The incident involves multiple alerts from different data sources. You need to correlate the alerts to determine the full attack chain. Which Microsoft Sentinel feature should you use?
52Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all Azure SQL databases have Advanced Data Security enabled. What should you do?
53You are configuring Microsoft Sentinel to use a playbook for automated response to incidents. The playbook needs to block the source IP address of a malicious sign-in on the Azure Firewall. Which Microsoft Sentinel feature should the playbook use?
54Your company uses Microsoft Defender for Cloud's Security Posture Management (CSPM) features. You need to identify resources that are not compliant with the organization's security baseline. What should you do?
55Refer to the exhibit. You are reviewing an Azure Policy initiative definition in Microsoft Defender for Cloud. The initiative includes a policy definition with reference ID 'CIS-1.1'. The policy definition ID is '/providers/Microsoft.Authorization/policyDefinitions/abc123'. You need to verify that the policy definition exists and is correctly assigned. Which Azure CLI command should you run?
56Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns a list of IP addresses that have attempted to sign in more than 10 times in the last day. You notice that the query does not filter out successful sign-ins. You need to modify the query to count only failed sign-in attempts. What should you add?
57Refer to the exhibit. You are reviewing the Microsoft Defender for Cloud settings for a subscription. The JSON shows that 'autoProvision' is set to true. What does this mean?
58Your organization has Microsoft Sentinel deployed in the East US region. You need to ensure that security logs are retained for 2 years to meet compliance requirements. The workspace retention policy is set to 90 days. What should you do?
59You are using Microsoft Defender for Cloud to protect Azure Kubernetes Service (AKS) clusters. You need to receive alerts about suspicious activities within the cluster, such as privilege escalations. What should you enable?
60Your organization uses Microsoft Sentinel to manage security incidents. You need to configure automated response to block a user account when a high-severity incident is triggered. The response should be automatically executed when the incident is created. What should you create?
61You need to ensure that all Azure subscriptions in your tenant are automatically assessed for security misconfigurations and compliance against Microsoft cloud security benchmark. What should you configure?
62Your security team detects a series of failed sign-ins from multiple IP addresses for a privileged user account in Microsoft Entra ID. You need to automatically create an incident in Microsoft Sentinel and block the user account. What should you configure?
63Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to collect logs from on-premises Linux servers and send them to Sentinel. The solution must minimize latency and administrative overhead. What should you deploy?
64You need to prioritize security recommendations in Microsoft Defender for Cloud. Your compliance team requires a framework that maps to regulatory standards. What should you use?
65Your organization uses Microsoft Defender for Cloud to protect Azure VMs. You notice that some VMs are not reporting security data. You verify that the Log Analytics agent is installed and running. What is the most likely cause?
66You are designing a Microsoft Sentinel solution for a multinational company. The company requires that security incidents be correlated across regions, but data residency mandates require logs to remain in their original region. What should you implement?
67Your organization uses Microsoft Defender for Cloud to monitor Azure SQL databases. You receive an alert indicating a potential SQL injection attack. What is the most effective immediate action to validate and respond?
68Your organization is migrating to Azure and needs to protect against advanced threats like fileless malware. You must use a solution that provides real-time protection and integrates with Microsoft Defender for Cloud. What should you deploy on Azure VMs?
69You need to ensure that security alerts from Microsoft Defender for Cloud are sent to a central SIEM system. What should you configure?
70Which TWO of the following are valid ways to integrate Microsoft Sentinel with Microsoft Defender XDR?
71Which THREE of the following are capabilities of Microsoft Defender for Cloud's workload protection plans?
72Which TWO of the following are valid data connectors in Microsoft Sentinel?
73You are a security engineer for a company that uses Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are assessed against the Microsoft Cloud Security Benchmark (MCSB). Which action should you take?
74Your company has Microsoft Sentinel deployed in multiple workspaces across several Azure regions. The security operations team wants to query data from all workspaces centrally using a single KQL query. What feature should you implement?
75You are configuring Microsoft Defender for Cloud to protect your Azure virtual machines. You need to enable just-in-time (JIT) VM access to reduce the attack surface. What prerequisite must be met?
76Your security team receives a high-priority alert from Microsoft Sentinel indicating a potential brute-force attack against an Azure SQL Database. The alert was generated by an analytics rule using the following KQL query: 'SigninLogs | where ResultType == "50057" | summarize Count = count() by UserPrincipalName, IPAddress | where Count > 10'. What is the most likely cause of the alert?
77You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that data from different geographic regions be stored separately to comply with data residency laws. What is the recommended approach?
78You need to configure a continuous export of Microsoft Defender for Cloud alerts to a third-party SIEM. Which feature should you use?
79Your company uses Microsoft Sentinel to monitor Azure resources. A new analytics rule is created to detect anomalous access to storage accounts. The rule runs every 5 minutes and looks at the last 15 minutes of data. After deploying, the rule generates no alerts even though you suspect there are anomalies. What is the most likely issue?
80You are responsible for securing Azure resources using Microsoft Defender for Cloud. You receive a recommendation that your Azure Kubernetes Service (AKS) cluster has a vulnerability in a container image. The recommendation is labeled 'Container images should be scanned for vulnerabilities'. What action should you take to remediate this recommendation?
81Your organization wants to use Microsoft Sentinel to automatically respond to high-severity incidents. Which feature should you configure?
82Which TWO of the following are valid methods to ingest data into Microsoft Sentinel? (Select two.)
83Which THREE of the following are capabilities of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select three.)
84Which TWO of the following are valid data sources for Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select two.)
85Your organization uses Microsoft Defender for Cloud to protect Azure workloads. You notice that a critical Azure VM is not covered by any of the Defender for Cloud plans. You need to ensure that the VM is protected by the Defender for Servers plan. What should you do?
86Your security team uses Microsoft Sentinel to detect threats. You need to set up a rule that triggers an alert when a user account is created in Microsoft Entra ID. Which rule type should you configure?
87Your organization has multiple Azure subscriptions and uses Microsoft Defender for Cloud. You need to ensure that all subscriptions have a consistent security policy applied. You create a management group containing all subscriptions. What should you do next to assign a Defender for Cloud initiative to all subscriptions?
88Refer to the exhibit. You are evaluating an Azure Policy definition that enables Defender for Cloud on a subscription. The policy uses 'DeployIfNotExists' effect. Which role must be assigned to the managed identity used by this policy to successfully deploy the pricing resource?
89Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). You need to investigate a possible insider threat where a user is accessing sensitive data from unusual locations. Which Sentinel feature should you use to visualize the user's activities and related entities?
90Your company has a hybrid environment with on-premises servers and Azure VMs. You want to use Microsoft Defender for Cloud to assess the security posture of both environments. What do you need to install on the on-premises servers to enable Defender for Cloud monitoring?
91Your security operations center (SOC) uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user signs in from a country not in the allowed list and then accesses a high-value SharePoint site within 10 minutes. The rule should generate an incident only if both conditions occur. Which KQL operator should you use in the rule query?
92You are configuring Microsoft Defender for Cloud's regulatory compliance dashboard. Your organization must comply with SOC 2. You have enabled the SOC 2 regulatory compliance standard. After a week, some controls show as 'Unhealthy'. What is the most likely reason for the 'Unhealthy' status?
93Refer to the exhibit. You are creating a Microsoft Sentinel scheduled analytics rule using the KQL query shown. The rule is set to run every hour. What will this rule detect?
94Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for Azure SQL. Where should you configure this?
95Which TWO are benefits of using Microsoft Sentinel's automation rules? (Choose two.)
96Which THREE are valid Microsoft Defender for Cloud plans? (Choose three.)
97Which TWO are capabilities of Microsoft Sentinel UEBA? (Choose two.)
98Which THREE are prerequisites for integrating Microsoft Sentinel with Microsoft Defender XDR? (Choose three.)
99Refer to the exhibit. You are reviewing the encryption configuration of an Azure Log Analytics workspace used by Microsoft Sentinel. The configuration shows infrastructure encryption enabled and customer-managed key (CMK) from Azure Key Vault. What additional step must be taken to ensure that the CMK is used for all data?
100You are a security engineer for a company that uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions are continuously assessed against the Microsoft cloud security benchmark (MCSB). The solution must automatically assign compliance standards to new subscriptions. What should you do?
101Your company uses Microsoft Sentinel to monitor security events. You are asked to create an analytics rule that detects when a user outside of business hours (9 PM to 5 AM) performs a high-risk operation like deleting a large number of Azure resources. The rule must trigger an incident and assign it to the SOC team. Which rule type and configuration should you use?
102You are responsible for securing an Azure environment using Microsoft Defender for Cloud. You need to reduce the number of false positive security alerts for a specific Azure SQL Database. The database is regularly scanned by a legitimate security tool that generates alerts. What should you do?
103Your organization is deploying Microsoft Sentinel in a multi-region environment. You need to design a workspace architecture that minimizes data egress costs while ensuring that data from all regions is available for queries and incident investigation. The security team is centralized in the US. What should you do?
104A company uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. The security team notices that the secure score is lower than expected because many recommendations are marked as 'Unhealthy' for resources that are not yet deployed (planned resources). How should you ensure that the secure score accurately reflects only deployed resources?
105You need to enable Microsoft Defender for Cloud's workload protection for Azure Kubernetes Service (AKS) clusters. Which Defender plan should you enable?
106Your organization uses Microsoft Sentinel to detect and respond to threats. You need to create an automation rule that automatically closes low-severity incidents after 24 hours of inactivity. The rule should apply to all analytics rules. What should you configure?
107Your company is using Microsoft Defender for Cloud to monitor hybrid workloads that include on-premises servers and Azure VMs. You need to ensure that all servers are covered by the integrated vulnerability assessment solution (Microsoft Defender Vulnerability Management). What is the minimum requirement for on-premises servers?
108You are configuring Microsoft Sentinel data connectors. Which data connector should you use to ingest logs from Microsoft Entra ID (Azure AD) audit logs and sign-in logs?
109Which TWO actions can you perform using Microsoft Defender for Cloud's regulatory compliance dashboard? (Select two.)
110Which THREE are valid methods to ingest data into Microsoft Sentinel? (Select three.)
111Which TWO are features of Microsoft Defender for Cloud's workload protection for Azure SQL databases? (Select two.)
112Refer to the exhibit. You are reviewing a scheduled analytics rule in Microsoft Sentinel that uses the KQL query shown. The rule is configured to run every hour. A security analyst reports that the rule is generating too many incidents. What is the most likely cause?
113Refer to the exhibit. You are reviewing a custom Azure Policy definition used in Microsoft Defender for Cloud. The policy is intended to deploy a vulnerability assessment solution on SQL Managed Instances that do not have one. However, the policy is not being evaluated for any resources. What is the most likely reason?
114Refer to the exhibit. You are assigning a built-in Azure Policy definition to a subscription using Azure CLI. The policy is 'Audit VMs that do not use managed disks'. After assignment, you check in Microsoft Defender for Cloud and see that the policy is not generating any recommendations. What is the most likely reason?
115A company uses Microsoft Defender for Cloud to secure its hybrid environment. The security team notices that many alerts are low severity and causing alert fatigue. They want to reduce noise without missing critical threats. What should they configure?
116A security analyst receives a Defender for Cloud alert indicating 'Malicious SQL injection attempt' on an Azure SQL Database. The analyst wants to immediately block the attacker's IP address at the network level using a just-in-time (JIT) VM access policy, but the SQL Database is not behind a VM. What should the analyst do to block the IP?
117Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. Which data source should you use?
118A company has enabled Microsoft Defender for Cloud on all subscriptions. The security team wants to ensure that all virtual machines have vulnerability assessment solutions installed. What should they configure?
119A financial services company uses Microsoft Sentinel to detect ransomware activity. They want to correlate alerts from multiple sources to reduce false positives. They have enabled Microsoft Defender for Cloud, Microsoft Defender XDR, and Azure Firewall logs. Which Sentinel feature should they use to create a single alert from multiple signals?
120Your organization uses Microsoft Defender for Cloud to protect Azure resources. You need to ensure that storage accounts are only accessible via HTTPS. What should you configure?
121A company uses Microsoft Sentinel as its SIEM. The security team wants to automatically respond to phishing emails detected by Microsoft Defender XDR. They want to create a playbook that, when triggered, will delete the email from all recipients' mailboxes. Which integration should the playbook use?
122A multinational corporation uses Microsoft Defender for Cloud to assess security posture across multiple subscriptions. The security team wants to ensure that all resources in a specific management group are compliant with a custom set of security standards. What should they do?
123A company uses Microsoft Sentinel to monitor Azure resources. They have a custom analytic rule that generates an incident when a user creates a new Azure SQL Database. The incident is assigned to the security team. However, they want to automatically notify the database administration team via email when such an incident is created. What should they configure?
124Which TWO of the following are valid methods to connect on-premises syslog data to Microsoft Sentinel?
125Which THREE of the following are features of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM)?
126Which TWO of the following data connectors are available by default in Microsoft Sentinel?
127Your company uses Microsoft Defender for Cloud with the default auto-provisioning configuration. A security engineer reports that critical vulnerabilities in Azure Virtual Machines are being detected but not automatically remediated. The engineer wants to enable automatic remediation for all supported findings. What should the engineer configure?
128Your organization uses Microsoft Sentinel to detect threats across multiple Azure subscriptions. Security analysts need to query threat intelligence data from Microsoft Defender Threat Intelligence (MDTI) directly within Sentinel. However, analysts report that MDTI indicators are not appearing in ThreatIntelligenceIndicator table. What is the most likely cause?
129A company is deploying Microsoft Sentinel for the first time. The security team wants to ensure that all Azure activity logs, including data plane operations from Azure Storage, are ingested into Sentinel. Which data connector should they enable?
130Your organization uses Microsoft Defender for Cloud to manage security posture. You need to ensure that all Azure subscriptions have the 'MFA should be enabled on accounts with owner permissions' security control applied. The compliance dashboard shows this control as 'Unhealthy' for several subscriptions. What should you do to automatically remediate non-compliant subscriptions?
131A security analyst receives a high-severity alert in Microsoft Sentinel indicating a potential brute-force attack against an Azure VM. The analyst wants to automatically block the attacker IP for 24 hours. What is the most efficient way to achieve this?
132Your organization uses Microsoft Defender for Cloud's workload protection for Azure SQL databases. You notice that Defender for Cloud is not generating alerts for anomalous activities on a specific SQL database. The database is in a VNet with a service endpoint enabled for SQL. What should you verify first?
133Your security team uses Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) to detect insider threats. To enable UEBA, which data source must be connected to Sentinel?
134You manage a multi-tenant environment using Azure Lighthouse. You need to use Microsoft Defender for Cloud to monitor security posture across customer tenants. However, you cannot see the regulatory compliance dashboard for customer subscriptions. What is the most likely reason?
135Your organization uses Microsoft Sentinel and wants to create a custom analytics rule to detect failed logon attempts from a specific IP address. The rule should run every hour and look for the event in the SecurityEvent table. However, the rule never triggers even though the events exist. What is the most likely cause?
136Which TWO actions can you perform using Microsoft Defender for Cloud's 'Security Alerts' page?
137Which THREE features are part of Microsoft Defender XDR (formerly Microsoft 365 Defender) integration with Microsoft Sentinel?
138Which TWO Microsoft Defender for Cloud plans specifically provide threat detection for Azure Storage?
139Your security team receives an alert from Microsoft Defender for Cloud indicating 'Suspicious PowerShell script detected' on a virtual machine. The VM is running a critical application, and you need to investigate without disrupting the service. Which action should you take first?
140You need to configure Microsoft Defender for Cloud to automatically remediate misconfigurations in Azure resources. Which feature should you enable?
141Your organization uses Microsoft Sentinel to detect threats across Azure, AWS, and on-premises environments. You need to create an analytics rule that will generate an incident when more than 10 failed logon attempts occur within 5 minutes from the same source IP. Which rule type should you use?
142Your company deploys a new Azure application gateway with WAF policy in prevention mode. After deployment, users report that legitimate traffic is being blocked. You need to identify which WAF rules are causing the blocks without affecting the security posture. What should you do?
143You are configuring Microsoft Defender for Cloud for a multi-subscription environment. You need to ensure that security alerts are aggregated in a central location and that a single team can manage recommendations across all subscriptions. What should you use?
144You receive a Microsoft Defender for Cloud recommendation: 'Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters'. The recommendation is marked as 'Unhealthy' for your AKS cluster. However, you have already installed the Azure Policy add-on. What is the most likely cause?
145Your security operations center (SOC) uses Microsoft Sentinel. You need to ensure that an incident is automatically created when a specific type of alert fires from Microsoft Defender for Cloud. What is the most efficient way to configure this?
146You need to enable Microsoft Defender for Cloud's enhanced security features for an Azure subscription. Which of the following is required?
147Your organization uses Microsoft Sentinel to monitor hybrid environments. You have a Log Analytics workspace that collects Windows security events. You need to create an analytics rule that triggers when a user account is created on any server, but you only want to generate an incident if the account creation occurs outside of business hours (9 AM - 5 PM). How should you configure the rule query?
148Which TWO actions can be performed using Microsoft Defender for Cloud's 'Regulatory Compliance' dashboard?
149Which THREE components are required to enable Microsoft Defender for Cloud's just-in-time (JIT) VM access?
150Which TWO types of data can Microsoft Sentinel ingest from Microsoft Defender XDR?
151Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You notice that a critical recommendation 'Vulnerabilities in virtual machines should be remediated' is showing a healthy status of 0% compliance. Which action should you take first to enable vulnerability assessment for all VMs?
152Your organization runs a critical application on an Azure VM that generates sensitive data. You need to ensure that only approved applications can execute on the VM to prevent malware. You have Microsoft Defender for Cloud enabled with the Defender for Servers plan P2. Which feature provides application control without requiring custom rules?
153You are evaluating Microsoft Defender for Cloud's cloud security posture management (CSPM) capabilities. You need to identify misconfigurations across your Azure, AWS, and GCP environments. What should you enable?
154A security analyst reports that a high-priority alert in Microsoft Sentinel for 'Malware detected on VM' was closed without investigation. You need to ensure that all alerts of severity High and above cannot be closed without adding a comment. What should you configure in Sentinel?
155Refer to the exhibit. You are reviewing a policy assignment in Microsoft Defender for Cloud that deploys the Log Analytics agent to Azure VMs. The policy uses 'DeployIfNotExists' effect and specifies a workspace. However, newly created VMs are not showing the agent installed. What is the most likely cause?
156Your company has multiple Azure subscriptions and wants to use Microsoft Sentinel as a SIEM. You need to collect security events from all Azure VMs, including existing and future ones. What should you use?
157You are configuring Microsoft Sentinel to detect a new type of ransomware that encrypts files and changes file extensions. You need to create a detection rule that generates an incident when the same pattern of file changes occurs on multiple hosts within a short time. Which rule type should you use?
158Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You receive a recommendation that 'SQL databases should have vulnerability findings resolved'. You run a vulnerability assessment scan and find a high-severity finding about a missing firewall rule. How should you resolve this finding?
159Your security team wants to use Microsoft Sentinel to investigate a compromised user account. They need to see the user's recent sign-in activity, Azure AD audit logs, and related alerts in a single dashboard. What feature in Sentinel should they use?
160Which TWO actions should you take to integrate on-premises servers with Microsoft Defender for Cloud for unified security management? (Choose two.)
161Which THREE are valid ways to trigger a playbook in Microsoft Sentinel? (Choose three.)
162Which TWO security controls are automatically provided by enabling Microsoft Defender for Cloud's foundational CSPM (Cloud Security Posture Management) capabilities? (Choose two.)
163You are a security engineer for a multinational company with 5000 Azure VMs across multiple subscriptions. You have deployed Microsoft Sentinel to ingest logs from all VMs via the Log Analytics agent. You need to create a detection rule that identifies potential cryptocurrency mining activity based on network traffic patterns. The rule should trigger an incident when any single VM communicates with a known mining pool IP address over port 3333, 4444, or 8333 within a 5-minute window. Additionally, to reduce noise, the rule should only trigger if the same VM sends more than 10 such connections in that window. You have a custom KQL function that extends the CommonSecurityLog table with an 'IsMiningPool' boolean column. Which of the following approaches should you use to create the rule?
164Your organization uses Microsoft Defender for Cloud to secure a multi-subscription environment. You have a subscription named 'Prod' that hosts critical applications. The security team requires that any new resource group created in the Prod subscription must automatically be protected by Microsoft Defender for Cloud at the 'Defender for Servers' plan P2 level. You need to implement a solution that ensures this compliance without manual intervention. You consider using Azure Policy, Azure Blueprints, or management group settings. Which option should you choose?
165Your company has a hybrid environment with Azure resources and on-premises servers. You have deployed Microsoft Sentinel and connected it to Azure AD, Azure Activity Logs, and Windows Security Events from on-premises servers via the Log Analytics gateway. You need to create a workbook that shows the number of sign-ins from each country over the last 24 hours. The data source is the SigninLogs table. However, the workbook does not display any data. You verify that the Log Analytics workspace is receiving sign-in logs from Azure AD. Which of the following is the most likely reason the workbook shows no data?
166Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP resources. You need to ensure that all resources are assessed against a consistent set of security standards. What should you configure first?
167Refer to the exhibit. You are reviewing a custom Azure Policy definition that will be assigned to a subscription to audit storage accounts and Cosmos DB accounts. The policy is intended to check whether these resources use customer-managed keys (CMK) for encryption. However, when you test the policy assignment, it does not evaluate Cosmos DB accounts. What is the most likely reason?
168Your security team has deployed Microsoft Sentinel. They need to create an analytics rule that uses a custom KQL query to detect failed logon attempts from a specific IP address range and automatically creates an incident with a severity of 'High'. Which rule type should they use?
169Your organization uses Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) to assess security posture. You notice that a critical recommendation for enabling diagnostic logs on Azure Key Vault is not appearing for a specific subscription. You have confirmed that the subscription is onboarded to Defender for Cloud. What is the most likely cause?
170Your company is using Microsoft Sentinel to monitor security events. You need to ensure that all incidents generated in Sentinel are automatically sent to a third-party ticketing system via a webhook. Which Sentinel feature should you configure?
171Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Cloud to monitor security posture. You notice that the recommendation 'MFA should be enabled on accounts with owner permissions on your subscription' shows a status of 'Unhealthy' for some accounts, but those accounts already have Microsoft Entra Conditional Access policies requiring MFA. What is the most likely reason for the discrepancy?
172Your security team is investigating a potential data exfiltration incident. They have identified that a user has been downloading large amounts of data from Azure Blob Storage to an external IP address. You need to create a Microsoft Sentinel analytics rule that triggers when more than 1 GB of data is downloaded from a storage account in a single hour. Which KQL query should be the basis of the rule?
173Your company wants to use Microsoft Defender for Cloud's just-in-time (JIT) VM access to reduce the attack surface. You have enabled JIT for a set of VMs. A security administrator reports that they cannot connect via RDP even after requesting access. What is the most likely cause?
174Refer to the exhibit. You assign this built-in policy to a resource group containing Linux VMs. The policy is intended to deploy the Log Analytics agent if it is missing. After the assignment, you notice that the policy does not evaluate any VMs and the compliance state is 'Not started'. What is the most likely reason?
175Your organization is using Microsoft Sentinel to centralize security data from multiple sources. You need to ensure that data from Azure Active Directory (now Microsoft Entra ID) logs is ingested. Which two of the following should you configure? (Choose two.)
176Your company is implementing Microsoft Defender for Cloud's Security Alerts. You need to ensure that alerts for critical severity are automatically sent to the security operations team via email and also create a ticket in ServiceNow. Which three actions should you take? (Choose three.)
177Your organization wants to use Microsoft Sentinel to detect and respond to threats. You need to ensure that Sentinel can ingest data from Azure Firewall logs. Which three components are required? (Choose three.)
178Your company uses Microsoft Defender for Cloud to protect Azure resources. You want to enable the 'Defender for Containers' plan to secure AKS clusters. Which two configurations are necessary? (Choose two.)
179Your company is using Microsoft Sentinel for security operations. You need to create a threat intelligence (TI) feed that allows Sentinel to match indicators from an external source. Which three actions should you take? (Choose three.)
180Your organization has a complex Azure environment with multiple subscriptions, each containing hundreds of VMs and PaaS services. You are responsible for ensuring that all resources are monitored for security threats using Microsoft Defender for Cloud. The environment includes: - Subscription A: Production workloads, requires the highest security posture. - Subscription B: Development environment, has a lower security budget. - Subscription C: Shared services (e.g., DNS, Active Directory). You need to implement the most cost-effective security monitoring solution that meets the following requirements: - All subscriptions must be covered by Defender for Cloud. - Production subscription must have vulnerability assessment for VMs. - Development subscription does not need vulnerability assessment but must have basic CSPM. - Shared services subscription must have advanced threat protection for Azure SQL databases. - You must minimize administrative overhead and ensure that security policies are centrally managed. What should you do?
181Your company has a Microsoft Sentinel workspace that ingests logs from multiple sources, including Azure Active Directory (now Microsoft Entra ID), Azure Firewall, and Microsoft 365 Defender. You are asked to create an analytics rule that detects when a user account is deleted from Microsoft Entra ID and then, within 24 hours, a large number of Azure resources are deleted in the same tenant. You have the following requirements: - The rule must use KQL to correlate events across two tables: AuditLogs (for user deletion) and ActivityLogs (for resource deletion). - The rule should trigger an incident only if more than 10 resources are deleted within 24 hours after the user deletion. - The incident severity should be set to 'High'. - The rule should run every hour and look back 24 hours. Which of the following is the correct KQL query for the analytics rule? (Choose the best option.)
182Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with the PCI DSS standard. You have enabled the PCI DSS initiative on the management group. The dashboard shows that some controls are 'Not started' even though you have implemented the required security configurations. You suspect that the assessment might not be running correctly. You need to ensure that the compliance assessments are triggered for all resources. The environment consists of: - 3 subscriptions under a management group. - All subscriptions have Defender for Cloud enabled with the CSPM plan. - The PCI DSS initiative was assigned at the management group level. - Some resources are in regions that do not support certain policy effects. What is the most likely reason for the 'Not started' status?
183Your organization uses Microsoft Sentinel to monitor for data exfiltration. You have configured a scheduled analytics rule that detects when an external IP address downloads more than 100 MB of data from an Azure Storage account within 5 minutes. The rule triggers, but the incident created has a severity of 'Low', while your team wants it to be 'High' for all such incidents. What should you do?
184Your company has a Microsoft Sentinel workspace that ingests logs from Azure AD, Azure Activity, and Azure Firewall. You are investigating an incident where an attacker gained access to a user's credentials and logged in from an unusual location. The sign-in log shows that the user passed MFA. You suspect that the attacker might have used a phishing attack to bypass MFA. Which Microsoft 365 Defender feature should you enable to detect such attacks?
185Your organization uses Microsoft Defender for Cloud with the CSPM plan enabled. You need to ensure that all Azure subscriptions have Microsoft Defender for Cloud's auto-provisioning enabled for the Log Analytics agent. Which Azure Policy initiative should you assign?
186You have configured Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You notice that sign-in logs for external guest users are not appearing in Sentinel. What is the most likely cause?
187Your security team wants to use Microsoft Defender for Cloud's 'Just-In-Time (JIT) VM access' to reduce the attack surface. Which Azure policy must be enabled on the subscription to use JIT?
188Which TWO actions can you perform using Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) feature? (Choose two.)
189Which THREE Microsoft Defender for Cloud features require Microsoft Defender for Servers Plan 2? (Choose three.)
190Which TWO data sources can be connected to Microsoft Sentinel using built-in data connectors? (Choose two.)
191What is the primary purpose of this KQL query?
192You are a security engineer for Contoso Ltd. The company has a hybrid environment with Azure VMs and on-premises servers running Windows Server 2022. You have enabled Microsoft Defender for Cloud's multi-cloud posture management for AWS and GCP. Recently, you deployed Microsoft Sentinel in a Log Analytics workspace named 'ContosoWorkspace'. The security team needs to centralize security alerts from all sources: Azure, on-premises, AWS, and GCP. They also require automated investigation and response for common threats. Specifically, they want to automatically disable a compromised user account when a high-severity alert is generated. You have configured data connectors for Azure Activity, Microsoft Entra ID, and AWS CloudTrail. For on-premises servers, you installed the Azure Monitor Agent (AMA) and enabled Defender for Cloud's plan for servers. For GCP, you are using the GCP Security Command Center connector. The team needs to create a playbook that runs when a high-severity alert from any source is triggered. The playbook should disable the user account in Microsoft Entra ID. You have created a playbook using Azure Logic Apps and granted it the necessary permissions. Which step should you take to ensure the playbook runs automatically when alerts are generated?
193Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team wants to implement a continuous compliance monitoring solution using Microsoft Defender for Cloud's regulatory compliance dashboard. They need to monitor compliance against the 'CIS Microsoft Azure Foundations Benchmark' and 'PCI DSS v3.2.1'. Currently, the subscription has the 'Azure Security Benchmark' initiative assigned. You need to configure the compliance dashboard to show both CIS and PCI DSS standards. The subscription already has Microsoft Defender for Cloud's CSPM plan enabled. You have also enabled the 'Defender for Cloud' plan for servers. What should you do to meet the requirements?
194You are a security analyst at Fabrikam Inc. You have deployed Microsoft Sentinel and connected it to Microsoft 365 Defender (formerly Microsoft Threat Protection). You have also enabled UEBA and set up analytics rules for detecting suspicious sign-ins. Recently, you noticed that some high-severity incidents from Microsoft 365 Defender are not appearing in Microsoft Sentinel. You have verified that the Microsoft 365 Defender connector is enabled and that incidents are being sent to the workspace. However, the incidents are not being created as Sentinel incidents. What is the most likely reason?
195Your company uses Microsoft Defender for Cloud's 'Vulnerability Assessment' solution for Azure VMs. You have enabled the 'Microsoft Defender for Servers' plan and deployed the integrated Qualys agent. You need to view the vulnerability assessment findings for all VMs in a single dashboard in Microsoft Defender for Cloud. Which blade in the Defender for Cloud portal should you navigate to?
196You have a Microsoft Sentinel workspace that ingests data from multiple sources, including Azure Activity, Microsoft Entra ID, and Azure Firewall. You need to create a custom analytics rule that detects when a user signs in from an IP address that has been flagged as malicious in a threat intelligence feed. You have already imported threat intelligence indicators into Sentinel using the 'Threat Intelligence - TAXII' data connector. The threat intelligence indicators are stored in the 'ThreatIntelligenceIndicator' table. Which KQL function should you use in the analytics rule to match sign-in logs against the threat indicators?
197You are configuring Microsoft Defender for Cloud's 'Workload protections' for a Kubernetes cluster that is already using Azure Kubernetes Service (AKS). The cluster has 'Azure Policy' enabled. You need to enable the 'Microsoft Defender for Containers' plan to protect the cluster. You have already enabled the plan at the subscription level. However, the cluster is not showing as protected in the 'Inventory' blade. You have confirmed that the 'Azure Policy for Kubernetes' add-on is installed. What should you do to ensure the cluster is protected?
198Your organization uses Microsoft Sentinel for security operations. You need to create a custom analytics rule that triggers an incident when a user executes a suspicious PowerShell command on a Windows server. The logs are stored in the 'DeviceEvents' table from Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). The rule should run every 5 minutes. Which scheduling frequency and query period should you configure?
199You are a security engineer for a large enterprise using Microsoft Sentinel. You have multiple workspaces deployed across different Azure regions to meet data residency requirements. You need to query data across all workspaces from a single query. You have set up a workspace as the 'central' workspace for cross-workspace queries. The central workspace has the necessary permissions to access the other workspaces. Which KQL operator should you use to include data from other workspaces in your query?
200You are the security engineer for a multinational company that uses Azure to host critical workloads. The company has deployed Microsoft Defender for Cloud with the enhanced security features enabled on all subscriptions. Recently, a security audit revealed that several virtual machines (VMs) in the production environment are missing critical security updates. The audit report indicates that the VMs are not being assessed for missing updates by Defender for Cloud. You need to ensure that all VMs are automatically assessed for missing OS updates using Defender for Cloud's vulnerability assessment capabilities. The solution must minimize administrative overhead and should not require manual installation of agents on existing VMs. What should you do?
201Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytics rule that detects when a user account is created in Microsoft Entra ID and then, within 24 hours, that account is granted a privileged role (e.g., Global Administrator). You have set up the necessary data connectors to ingest Microsoft Entra ID audit logs and sign-in logs into Sentinel. The rule should trigger an incident with high severity when this sequence occurs. Which KQL query should you use in the analytics rule?
202Your company has deployed Microsoft Defender for Cloud in all subscriptions. You need to ensure that all Azure SQL databases are protected by Advanced Threat Protection (ATP). You want to enable ATP at the subscription level so that new databases are automatically protected. The security policy must be enforced to prevent administrators from disabling ATP on individual databases. What should you do?
203Your organization uses Microsoft Sentinel to monitor security events. You need to configure automated response actions for incidents. Which TWO of the following can be used to trigger automated responses in Microsoft Sentinel?
204You are configuring Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The cluster runs sensitive workloads. You need to enable threat detection and vulnerability assessment for the AKS environment. Which THREE of the following should you enable?
205A company uses Microsoft Defender for Cloud to protect its hybrid workloads. Security administrators report that critical alerts for SQL servers are not appearing in the Defender for Cloud dashboard. The SQL servers are on-premises and have Azure Arc enabled. Which configuration step should be verified first?
206A security operations team uses Microsoft Sentinel to monitor sign-in logs. They receive frequent false positive alerts for 'Anonymous IP address sign-in' from a specific external IP range used by a trusted partner. The analysts want to suppress these alerts without reducing detection coverage. What is the most efficient approach?
207A company is deploying Microsoft Sentinel in a new Azure subscription. The security team wants to ingest Windows security events from on-premises servers. Which data connector should they use?
208Your organization has enabled Microsoft Defender for Cloud on all subscriptions. You need to ensure that the security score is improved by implementing recommendations. Which TWO actions would directly improve the secure score?
209A SOC team uses Microsoft Sentinel. They want to create an analytics rule that detects excessive failed logons from a single IP address. The rule must run every 5 minutes and look back 1 hour. Which THREE components are required to configure this scheduled query rule?
210Refer to the exhibit. You are assigned a policy that deploys the Log Analytics agent to Linux VMs. After assigning this policy to a subscription, you notice that existing Linux VMs are not getting the agent deployed, but newly created VMs receive the agent. What is the most likely reason?
211You are a security architect for a large enterprise with 500 Azure subscriptions organized into a management group hierarchy. The company uses Microsoft Defender for Cloud to assess security posture. The CISO wants a single dashboard view of the secure score across all subscriptions, but with the ability to drill down into individual management groups. You need to recommend a solution that provides this capability with minimal administrative overhead. The company already has Log Analytics workspaces deployed per region. Which approach should you take?
212A company uses Microsoft Sentinel to centralize security logs. They need to ensure that incidents from Microsoft Defender XDR are synchronized into Sentinel. Which data connector should they enable?
213A company uses Microsoft Defender for Cloud to protect Azure resources. The security team wants to automatically remediate certain recommendations without manual intervention. They decide to use Azure Policy to enforce secure configurations. Which feature in Defender for Cloud allows them to create policy assignments directly from the recommendation?
The Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel domain covers the key concepts tested in this area of the AZ-500 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AZ-500 domains — no account required.
The Courseiva AZ-500 question bank contains 213 questions in the Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included