Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice sets

AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel • Complete Question Bank

AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel — All Questions With Answers

Complete AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel question bank — all 0 questions with answers and detailed explanations.

213
Questions
Free
No signup
Certifications/AZ-500/Practice Test/Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel/All Questions
Question 1hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?

Question 2mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

An organization uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that several VMs are not receiving vulnerability assessment findings, even though they are in a scope where the integrated Qualys VA solution is enabled. What should they verify first?

Question 3easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security analyst needs to create a custom alert in Microsoft Defender for Cloud that triggers when a user creates a public IP address in the 'production' resource group. Which type of alert should they use?

Question 4mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Sentinel to monitor security events. You need to detect brute-force attacks against Azure VMs that are not yet onboarded to Sentinel. What should you do?

Question 5hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security team uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. They notice that some controls are marked as 'N/A' even though they have relevant resources. What is the most likely reason?

Question 6easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory. Which two data connectors are necessary to collect sign-in logs and audit logs?

Question 7mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

An organization uses Microsoft Defender for Cloud to protect Azure SQL databases. They want to receive alerts when a SQL database is accessed from a suspicious location. What should they enable?

Question 8hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Sentinel to correlate data from multiple sources. You need to create an analytics rule that triggers an incident when a user signs in from an unfamiliar location and then performs a high-risk action in Azure. What is the best approach?

Question 9easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security analyst needs to view all incidents generated by Microsoft Defender for Cloud across multiple subscriptions in a single pane of glass. What should they use?

Question 10mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to ensure that Microsoft Sentinel can detect threats across your Azure environment, including virtual machines, network traffic, and user activities. Which TWO data sources should you connect?

Question 11hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Defender for Cloud's workload protection for Azure Storage. They want to receive alerts when there is suspicious access to blob storage. Which TWO features should they enable?

Question 12easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are deploying Microsoft Sentinel in a new Azure environment. Which THREE resources are required to deploy a Sentinel workspace?

Question 13hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are assigning this Azure Policy to a management group. The goal is to automatically deploy the Azure Monitor Agent to Windows VMs that do not have it. However, after assignment, you notice that the policy is not deploying the agent. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Deploy Azure Monitor Agent for Windows VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "parameters": {
      "effect": {
        "type": "String",
        "defaultValue": "DeployIfNotExists",
        "allowedValues": [
          "DeployIfNotExists",
          "AuditIfNotExists",
          "Disabled"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  }
}
Question 14mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

SecurityAlert
| where TimeGenerated > ago(7d)
| summarize Count = count() by AlertName, AlertSeverity
| top 10 by Count desc
Question 15easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. This is an excerpt from an Azure Policy assignment. What is the effect of the 'notScopes' property?

Exhibit

{
  "properties": {
    "enforcementMode": "Default",
    "scope": "/subscriptions/abc123/resourceGroups/RG-Prod",
    "notScopes": [
      "/subscriptions/abc123/resourceGroups/RG-Prod/providers/Microsoft.Compute/virtualMachines/VM-Sensitive"
    ]
  }
}
Question 16easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions have the 'Auto-provisioning' extension enabled for Log Analytics agent on new VMs. What should you configure?

Question 17mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has a hybrid environment with on-premises servers and Azure VMs. All resources are onboarded to Microsoft Defender for Cloud. You need to receive alerts when a critical vulnerability is detected on any server. The security team wants to minimize false positives. What should you configure?

Question 18hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security analyst reports that Microsoft Sentinel is not receiving Windows Security Events from Azure VMs that have the Log Analytics agent installed. The agent shows as connected, and other data sources (e.g., performance counters) are flowing. What is the most likely cause?

Question 19easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to assess regulatory compliance. You need to ensure that the compliance dashboard reflects the latest standards and that custom assessments are included. What should you do?

Question 20mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are investigating a security incident in Microsoft Sentinel. A KQL query returns results indicating that a user logged in from an IP address that is not in the organization's approved list. The user's account has been compromised. You need to automatically disable the user account in Microsoft Entra ID when such an alert is triggered. What should you configure?

Question 21hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization is using Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for all existing and future Azure SQL databases in a subscription. The solution must minimize administrative effort. What should you do?

Question 22easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has multiple Azure subscriptions. You need to centralize security alerts and incidents in a single dashboard for the security operations center (SOC) team. The solution should provide advanced analytics and threat detection. Which service should you use?

Question 23mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Defender for Cloud's continuous export feature. You need to export security alerts and recommendations to a Log Analytics workspace for long-term retention and custom analysis. The export should include only high-severity alerts and recommendations. What should you do?

Question 24hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are reviewing the Azure Policy definition shown in the exhibit. This policy is assigned to a subscription. Several VMs are non-compliant. What is the most likely reason for the non-compliance?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.encryptionSettings",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/extensions/type",
            "equals": "AzureDiskEncryption"
          }
        }
      }
    }
  }
}
```
Question 25mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to monitor Azure resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources. Which TWO options can you use to achieve this?

Question 26hardmulti select
Read the full NAT/PAT explanation →

You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that all security logs be retained for at least seven years for compliance. The solution must be cost-effective. Which THREE actions should you take?

Question 27easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud to protect Azure resources. You need to enable the enhanced security features (formerly Azure Defender) for all supported resource types. Which TWO plans should you enable? (Choose TWO that apply.)

Question 28mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You execute the KQL query shown in the exhibit in Microsoft Sentinel. The query returns no results, but you know there have been high-severity malware alerts in the past week. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertSeverity == "High"
| where AlertName contains "Malware"
| summarize Count = count() by AlertName, CompromisedEntity
| order by Count desc
```
Question 29easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You run the PowerShell command shown in the exhibit. After execution, you check the Log Analytics workspace in the Azure portal. The workspace is created successfully. However, when you try to onboard the workspace to Microsoft Sentinel, you receive an error that Sentinel cannot be enabled on this workspace. What is the most likely cause?

Exhibit

Refer to the exhibit.

```powershell
$parameters = @{
  ResourceGroupName = 'RG-Security'
  Name = 'ws-law'
  Sku = @{ name = 'PerGB2018' }
  RetentionInDays = 365
}
New-AzOperationalInsightsWorkspace @parameters
```
Question 30hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You deploy the Bicep template shown in the exhibit. After deployment, you check Microsoft Sentinel and find it is not enabled. The Log Analytics workspace and Defender for Cloud pricing plan are created successfully. What is the most likely reason Sentinel is not enabled?

Exhibit

Refer to the exhibit.

```bicep
resource defenderPlan 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'P1'
  }
}

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
  name: 'la-workspace'
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'PerGB2018'
    }
    retentionInDays: 90
  }
}

resource sentinel 'Microsoft.SecurityInsights/onboardingStates@2021-10-01' = {
  name: 'default'
  properties: {
    onboardingState: 'Onboarded'
  }
}
```
Question 31mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team receives an alert about a critical vulnerability in an Azure VM that was remediated two weeks ago. What is the most likely reason the alert is still active?

Question 32hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security engineer configures a Microsoft Sentinel analytics rule to detect anomalous sign-ins from unfamiliar locations. The rule uses the following KQL query: SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelDuringSignIn == 'high' | summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h). After enabling the rule, no alerts are generated even though the team expects many. What is the most likely cause?

Question 33easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to ensure that all Azure storage accounts in your subscription are encrypted at rest using customer-managed keys (CMK). Which Azure Policy initiative should you assign to audit compliance?

Question 34hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to monitor for ransomware attacks. You need to create a custom analytics rule that detects when a large number of files are encrypted within a short time window. Which KQL query should you use as the rule logic?

Question 35mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security administrator needs to enable just-in-time (JIT) VM access for all Azure VMs in a subscription using Microsoft Defender for Cloud. What are the minimum permissions required to enable JIT on the VMs?

Question 36hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. After assigning the PCI DSS v4.0 initiative, several controls show as 'Not started' even though your resources are compliant. What is the most likely cause?

Question 37mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO actions can be performed using Microsoft Defender for Cloud's security alerts? (Choose two.)

Question 38hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE are valid data connectors in Microsoft Sentinel? (Choose three.)

Question 39easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO features are available in Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) capabilities? (Choose two.)

Question 40mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You assign this Azure Policy definition to a subscription containing a storage account that uses Microsoft-managed keys. What is the compliance state of the storage account?

Exhibit

{"properties":{"displayName":"Audit storage accounts with customer-managed keys","policyType":"BuiltIn","mode":"Indexed","description":"Audits storage accounts that do not use customer-managed keys.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"audit","details":{"existenceCondition":{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","notEquals":"Microsoft.Keyvault"}}}}}
Question 41hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You assign this policy to a subscription that already has a security contact configured with email 'admin@contoso.com'. What will be the outcome?

Exhibit

{"properties":{"displayName":"Deploy Microsoft Defender for Cloud security contacts","policyType":"BuiltIn","mode":"All","description":"Deploys security contact settings for subscriptions.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Subscription"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/securityContacts","name":"default","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""},"deployment":{"properties":{"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"Microsoft.Security/securityContacts","name":"default","properties":{"email":"security@contoso.com","phone":"555-1234","alertNotifications":{"state":"On","minimalSeverity":"High"},"notificationsByRole":{"state":"On","roles":["Owner"]}}}]}}}}}}
Question 42mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. A Microsoft Sentinel analytics rule uses this KQL query. What is the primary purpose of this rule?

Exhibit

SigninLogs
| where TimeGenerated > ago(7d)
| where RiskLevelDuringSignIn in ('medium', 'high')
| extend Country = tostring(LocationDetails.countryOrRegion)
| where Country != 'US'
| summarize SigninCount = count() by UserPrincipalName, Country
| where SigninCount > 3
Question 43hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company, Contoso Ltd., has a hybrid environment with 500 on-premises Windows servers and 200 Azure VMs. The Azure VMs are spread across multiple subscriptions. You need to implement a centralized security monitoring solution using Microsoft Sentinel. The requirements are: - Collect security events from all on-premises servers. - Collect Azure activity logs and VM logs from all Azure subscriptions. - Detect and respond to threats using built-in and custom analytics. - Automatically remediate common threats such as disabling compromised user accounts. - Ensure compliance with regulatory standards (e.g., NIST 800-53). - Minimize administrative overhead and cost.

What should you do?

Question 44mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Choose three.)

Question 45easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to ensure that Microsoft Defender for Cloud automatically provisions the Log Analytics agent (AMA) on all new Azure VMs in a subscription. What should you configure?

Question 46mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud to secure its Azure resources. The security team receives alerts about a potential brute-force attack on a Linux virtual machine. You need to verify whether the attack was successful and take immediate remediation actions. Which two Defender for Cloud features should you use together?

Question 47hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are a security analyst using Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from the same IP address within 5 minutes. The rule should use a KQL query. Which query should you use?

Question 48mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization has multiple Azure subscriptions managed by Microsoft Defender for Cloud. You need to ensure that all subscriptions have the same security policies applied, and that any new subscription automatically inherits these policies. What should you do?

Question 49mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You need to collect sign-in logs and audit logs. Which data connector should you enable?

Question 50hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud to protect Azure resources. You notice that some Azure VMs are not showing any security recommendations. You verify that the VMs are running and have network connectivity. What is the most likely cause?

Question 51mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are investigating a security incident in Microsoft Sentinel. The incident involves multiple alerts from different data sources. You need to correlate the alerts to determine the full attack chain. Which Microsoft Sentinel feature should you use?

Question 52mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all Azure SQL databases have Advanced Data Security enabled. What should you do?

Question 53hardmultiple choice
Read the full Ansible explanation →

You are configuring Microsoft Sentinel to use a playbook for automated response to incidents. The playbook needs to block the source IP address of a malicious sign-in on the Azure Firewall. Which Microsoft Sentinel feature should the playbook use?

Question 54mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud's Security Posture Management (CSPM) features. You need to identify resources that are not compliant with the organization's security baseline. What should you do?

Question 55hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing an Azure Policy initiative definition in Microsoft Defender for Cloud. The initiative includes a policy definition with reference ID 'CIS-1.1'. The policy definition ID is '/providers/Microsoft.Authorization/policyDefinitions/abc123'. You need to verify that the policy definition exists and is correctly assigned. Which Azure CLI command should you run?

Exhibit

{
  "properties": {
    "displayName": "CIS Benchmark v1.1.0",
    "description": "CIS Benchmark for Azure",
    "metadata": {
      "version": "1.0.0",
      "category": "Regulatory Compliance"
    },
    "parameters": {},
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "CIS-1.1",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abc123"
      }
    ]
  }
}
Question 56mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns a list of IP addresses that have attempted to sign in more than 10 times in the last day. You notice that the query does not filter out successful sign-ins. You need to modify the query to count only failed sign-in attempts. What should you add?

Exhibit

SigninLogs
| where TimeGenerated > ago(1d)
| summarize Attempts = count() by IPAddress
| where Attempts > 10
Question 57mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing the Microsoft Defender for Cloud settings for a subscription. The JSON shows that 'autoProvision' is set to true. What does this mean?

Exhibit

{
  "properties": {
    "pricingTier": "Standard",
    "autoProvision": true
  }
}
Question 58hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization has Microsoft Sentinel deployed in the East US region. You need to ensure that security logs are retained for 2 years to meet compliance requirements. The workspace retention policy is set to 90 days. What should you do?

Question 59mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are using Microsoft Defender for Cloud to protect Azure Kubernetes Service (AKS) clusters. You need to receive alerts about suspicious activities within the cluster, such as privilege escalations. What should you enable?

Question 60hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to manage security incidents. You need to configure automated response to block a user account when a high-severity incident is triggered. The response should be automatically executed when the incident is created. What should you create?

Question 61easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to ensure that all Azure subscriptions in your tenant are automatically assessed for security misconfigurations and compliance against Microsoft cloud security benchmark. What should you configure?

Question 62mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team detects a series of failed sign-ins from multiple IP addresses for a privileged user account in Microsoft Entra ID. You need to automatically create an incident in Microsoft Sentinel and block the user account. What should you configure?

Question 63hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to collect logs from on-premises Linux servers and send them to Sentinel. The solution must minimize latency and administrative overhead. What should you deploy?

Question 64easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to prioritize security recommendations in Microsoft Defender for Cloud. Your compliance team requires a framework that maps to regulatory standards. What should you use?

Question 65mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure VMs. You notice that some VMs are not reporting security data. You verify that the Log Analytics agent is installed and running. What is the most likely cause?

Question 66hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a Microsoft Sentinel solution for a multinational company. The company requires that security incidents be correlated across regions, but data residency mandates require logs to remain in their original region. What should you implement?

Question 67mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to monitor Azure SQL databases. You receive an alert indicating a potential SQL injection attack. What is the most effective immediate action to validate and respond?

Question 68hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization is migrating to Azure and needs to protect against advanced threats like fileless malware. You must use a solution that provides real-time protection and integrates with Microsoft Defender for Cloud. What should you deploy on Azure VMs?

Question 69easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to ensure that security alerts from Microsoft Defender for Cloud are sent to a central SIEM system. What should you configure?

Question 70mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO of the following are valid ways to integrate Microsoft Sentinel with Microsoft Defender XDR?

Question 71hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE of the following are capabilities of Microsoft Defender for Cloud's workload protection plans?

Question 72easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO of the following are valid data connectors in Microsoft Sentinel?

Question 73mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are a security engineer for a company that uses Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are assessed against the Microsoft Cloud Security Benchmark (MCSB). Which action should you take?

Question 74hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has Microsoft Sentinel deployed in multiple workspaces across several Azure regions. The security operations team wants to query data from all workspaces centrally using a single KQL query. What feature should you implement?

Question 75easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Defender for Cloud to protect your Azure virtual machines. You need to enable just-in-time (JIT) VM access to reduce the attack surface. What prerequisite must be met?

Question 76mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team receives a high-priority alert from Microsoft Sentinel indicating a potential brute-force attack against an Azure SQL Database. The alert was generated by an analytics rule using the following KQL query: 'SigninLogs | where ResultType == "50057" | summarize Count = count() by UserPrincipalName, IPAddress | where Count > 10'. What is the most likely cause of the alert?

Question 77hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that data from different geographic regions be stored separately to comply with data residency laws. What is the recommended approach?

Question 78easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to configure a continuous export of Microsoft Defender for Cloud alerts to a third-party SIEM. Which feature should you use?

Question 79mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Sentinel to monitor Azure resources. A new analytics rule is created to detect anomalous access to storage accounts. The rule runs every 5 minutes and looks at the last 15 minutes of data. After deploying, the rule generates no alerts even though you suspect there are anomalies. What is the most likely issue?

Question 80hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are responsible for securing Azure resources using Microsoft Defender for Cloud. You receive a recommendation that your Azure Kubernetes Service (AKS) cluster has a vulnerability in a container image. The recommendation is labeled 'Container images should be scanned for vulnerabilities'. What action should you take to remediate this recommendation?

Question 81easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization wants to use Microsoft Sentinel to automatically respond to high-severity incidents. Which feature should you configure?

Question 82mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO of the following are valid methods to ingest data into Microsoft Sentinel? (Select two.)

Question 83hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE of the following are capabilities of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select three.)

Question 84mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO of the following are valid data sources for Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select two.)

Question 85mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure workloads. You notice that a critical Azure VM is not covered by any of the Defender for Cloud plans. You need to ensure that the VM is protected by the Defender for Servers plan. What should you do?

Question 86easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team uses Microsoft Sentinel to detect threats. You need to set up a rule that triggers an alert when a user account is created in Microsoft Entra ID. Which rule type should you configure?

Question 87hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization has multiple Azure subscriptions and uses Microsoft Defender for Cloud. You need to ensure that all subscriptions have a consistent security policy applied. You create a management group containing all subscriptions. What should you do next to assign a Defender for Cloud initiative to all subscriptions?

Question 88mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are evaluating an Azure Policy definition that enables Defender for Cloud on a subscription. The policy uses 'DeployIfNotExists' effect. Which role must be assigned to the managed identity used by this policy to successfully deploy the pricing resource?

Exhibit

{
  "properties": {
    "displayName": "Enable Defender for Cloud on subscription",
    "policyType": "BuiltIn",
    "mode": "All",
    "parameters": {
      "effect": {
        "type": "String",
        "allowedValues": ["DeployIfNotExists", "AuditIfNotExists", "Disabled"],
        "defaultValue": "DeployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Subscription"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/pricings",
          "existenceCondition": {
            "field": "Microsoft.Security/pricings/pricingTier",
            "equals": "Standard"
          },
          "roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/fb1c8498-711b-4c4f-b104-123456789012"],
          "deployment": {
            "properties": {
              "templateLink": {
                "uri": "https://raw.githubusercontent.com/.../azuredeploy.json",
                "contentVersion": "1.0.0.0"
              },
              "parameters": {
                "pricingTier": {
                  "value": "Standard"
                }
              }
            }
          }
        }
      }
    }
  }
}
Question 89hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). You need to investigate a possible insider threat where a user is accessing sensitive data from unusual locations. Which Sentinel feature should you use to visualize the user's activities and related entities?

Question 90easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has a hybrid environment with on-premises servers and Azure VMs. You want to use Microsoft Defender for Cloud to assess the security posture of both environments. What do you need to install on the on-premises servers to enable Defender for Cloud monitoring?

Question 91hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security operations center (SOC) uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user signs in from a country not in the allowed list and then accesses a high-value SharePoint site within 10 minutes. The rule should generate an incident only if both conditions occur. Which KQL operator should you use in the rule query?

Question 92mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Defender for Cloud's regulatory compliance dashboard. Your organization must comply with SOC 2. You have enabled the SOC 2 regulatory compliance standard. After a week, some controls show as 'Unhealthy'. What is the most likely reason for the 'Unhealthy' status?

Question 93mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are creating a Microsoft Sentinel scheduled analytics rule using the KQL query shown. The rule is set to run every hour. What will this rule detect?

Exhibit

Log Analytics query:
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4625
| summarize FailedLogins = count() by Account, IpAddress
| where FailedLogins > 10
| project Account, IpAddress, FailedLogins
Question 94easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for Azure SQL. Where should you configure this?

Question 95mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO are benefits of using Microsoft Sentinel's automation rules? (Choose two.)

Question 96hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE are valid Microsoft Defender for Cloud plans? (Choose three.)

Question 97mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO are capabilities of Microsoft Sentinel UEBA? (Choose two.)

Question 98hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE are prerequisites for integrating Microsoft Sentinel with Microsoft Defender XDR? (Choose three.)

Question 99mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing the encryption configuration of an Azure Log Analytics workspace used by Microsoft Sentinel. The configuration shows infrastructure encryption enabled and customer-managed key (CMK) from Azure Key Vault. What additional step must be taken to ensure that the CMK is used for all data?

Exhibit

{
  "properties": {
    "infrastructureEncryption": "Enabled",
    "encryption": {
      "keySource": "Microsoft.Keyvault",
      "keyvaultProperties": {
        "keyUri": "https://myvault.vault.azure.net/keys/mykey/abc123",
        "currentVersionedKeyIdentifier": "https://myvault.vault.azure.net/keys/mykey/abc123",
        "lastKeyRotationTimestamp": "2025-12-01T00:00:00Z"
      }
    }
  }
}
Question 100mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are a security engineer for a company that uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions are continuously assessed against the Microsoft cloud security benchmark (MCSB). The solution must automatically assign compliance standards to new subscriptions. What should you do?

Question 101hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Sentinel to monitor security events. You are asked to create an analytics rule that detects when a user outside of business hours (9 PM to 5 AM) performs a high-risk operation like deleting a large number of Azure resources. The rule must trigger an incident and assign it to the SOC team. Which rule type and configuration should you use?

Question 102easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are responsible for securing an Azure environment using Microsoft Defender for Cloud. You need to reduce the number of false positive security alerts for a specific Azure SQL Database. The database is regularly scanned by a legitimate security tool that generates alerts. What should you do?

Question 103mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization is deploying Microsoft Sentinel in a multi-region environment. You need to design a workspace architecture that minimizes data egress costs while ensuring that data from all regions is available for queries and incident investigation. The security team is centralized in the US. What should you do?

Question 104hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. The security team notices that the secure score is lower than expected because many recommendations are marked as 'Unhealthy' for resources that are not yet deployed (planned resources). How should you ensure that the secure score accurately reflects only deployed resources?

Question 105easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to enable Microsoft Defender for Cloud's workload protection for Azure Kubernetes Service (AKS) clusters. Which Defender plan should you enable?

Question 106mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to detect and respond to threats. You need to create an automation rule that automatically closes low-severity incidents after 24 hours of inactivity. The rule should apply to all analytics rules. What should you configure?

Question 107hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company is using Microsoft Defender for Cloud to monitor hybrid workloads that include on-premises servers and Azure VMs. You need to ensure that all servers are covered by the integrated vulnerability assessment solution (Microsoft Defender Vulnerability Management). What is the minimum requirement for on-premises servers?

Question 108easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Sentinel data connectors. Which data connector should you use to ingest logs from Microsoft Entra ID (Azure AD) audit logs and sign-in logs?

Question 109mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO actions can you perform using Microsoft Defender for Cloud's regulatory compliance dashboard? (Select two.)

Question 110hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE are valid methods to ingest data into Microsoft Sentinel? (Select three.)

Question 111mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO are features of Microsoft Defender for Cloud's workload protection for Azure SQL databases? (Select two.)

Question 112hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing a scheduled analytics rule in Microsoft Sentinel that uses the KQL query shown. The rule is configured to run every hour. A security analyst reports that the rule is generating too many incidents. What is the most likely cause?

Exhibit

Refer to the exhibit.

```kusto
// KQL query used in a Microsoft Sentinel scheduled analytics rule
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50057"  // User account is disabled
| where IPAddress !in (dynamic(["10.0.0.1", "10.0.0.2"]))
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName
```
Question 113mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing a custom Azure Policy definition used in Microsoft Defender for Cloud. The policy is intended to deploy a vulnerability assessment solution on SQL Managed Instances that do not have one. However, the policy is not being evaluated for any resources. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Deploy Vulnerability Assessment solution on SQL managed instances",
    "policyType": "Custom",
    "description": "Deploys the Azure Defender for SQL vulnerability assessment on SQL Managed Instances",
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/managedInstances"
          },
          {
            "field": "Microsoft.Sql/managedInstances/vulnerabilityAssessments",
            "exists": false
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments",
          "roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/bd5e0e0e-0b1a-4f8a-8f0f-9e2e0e0e0e0e"],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": { ... }
            }
          }
        }
      }
    }
  }
}
```
Question 114easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are assigning a built-in Azure Policy definition to a subscription using Azure CLI. The policy is 'Audit VMs that do not use managed disks'. After assignment, you check in Microsoft Defender for Cloud and see that the policy is not generating any recommendations. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06be3959-4f3e-4f6a-8a6d-5f5f5f5f5f5f",
    "parameters": {},
    "scope": "/subscriptions/12345678-1234-1234-1234-123456789012",
    "notScopes": []
  }
}
```
Question 115mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Defender for Cloud to secure its hybrid environment. The security team notices that many alerts are low severity and causing alert fatigue. They want to reduce noise without missing critical threats. What should they configure?

Question 116hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security analyst receives a Defender for Cloud alert indicating 'Malicious SQL injection attempt' on an Azure SQL Database. The analyst wants to immediately block the attacker's IP address at the network level using a just-in-time (JIT) VM access policy, but the SQL Database is not behind a VM. What should the analyst do to block the IP?

Question 117easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. Which data source should you use?

Question 118mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company has enabled Microsoft Defender for Cloud on all subscriptions. The security team wants to ensure that all virtual machines have vulnerability assessment solutions installed. What should they configure?

Question 119hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A financial services company uses Microsoft Sentinel to detect ransomware activity. They want to correlate alerts from multiple sources to reduce false positives. They have enabled Microsoft Defender for Cloud, Microsoft Defender XDR, and Azure Firewall logs. Which Sentinel feature should they use to create a single alert from multiple signals?

Question 120easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure resources. You need to ensure that storage accounts are only accessible via HTTPS. What should you configure?

Question 121mediummultiple choice
Read the full Ansible explanation →

A company uses Microsoft Sentinel as its SIEM. The security team wants to automatically respond to phishing emails detected by Microsoft Defender XDR. They want to create a playbook that, when triggered, will delete the email from all recipients' mailboxes. Which integration should the playbook use?

Question 122hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses Microsoft Defender for Cloud to assess security posture across multiple subscriptions. The security team wants to ensure that all resources in a specific management group are compliant with a custom set of security standards. What should they do?

Question 123mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Sentinel to monitor Azure resources. They have a custom analytic rule that generates an incident when a user creates a new Azure SQL Database. The incident is assigned to the security team. However, they want to automatically notify the database administration team via email when such an incident is created. What should they configure?

Question 124hardmulti select
Read the full network assurance explanation →

Which TWO of the following are valid methods to connect on-premises syslog data to Microsoft Sentinel?

Question 125mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE of the following are features of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM)?

Question 126easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO of the following data connectors are available by default in Microsoft Sentinel?

Question 127mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud with the default auto-provisioning configuration. A security engineer reports that critical vulnerabilities in Azure Virtual Machines are being detected but not automatically remediated. The engineer wants to enable automatic remediation for all supported findings. What should the engineer configure?

Question 128hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to detect threats across multiple Azure subscriptions. Security analysts need to query threat intelligence data from Microsoft Defender Threat Intelligence (MDTI) directly within Sentinel. However, analysts report that MDTI indicators are not appearing in ThreatIntelligenceIndicator table. What is the most likely cause?

Question 129easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company is deploying Microsoft Sentinel for the first time. The security team wants to ensure that all Azure activity logs, including data plane operations from Azure Storage, are ingested into Sentinel. Which data connector should they enable?

Question 130hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to ensure that all Azure subscriptions have the 'MFA should be enabled on accounts with owner permissions' security control applied. The compliance dashboard shows this control as 'Unhealthy' for several subscriptions. What should you do to automatically remediate non-compliant subscriptions?

Question 131easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security analyst receives a high-severity alert in Microsoft Sentinel indicating a potential brute-force attack against an Azure VM. The analyst wants to automatically block the attacker IP for 24 hours. What is the most efficient way to achieve this?

Question 132mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud's workload protection for Azure SQL databases. You notice that Defender for Cloud is not generating alerts for anomalous activities on a specific SQL database. The database is in a VNet with a service endpoint enabled for SQL. What should you verify first?

Question 133easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team uses Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) to detect insider threats. To enable UEBA, which data source must be connected to Sentinel?

Question 134hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You manage a multi-tenant environment using Azure Lighthouse. You need to use Microsoft Defender for Cloud to monitor security posture across customer tenants. However, you cannot see the regulatory compliance dashboard for customer subscriptions. What is the most likely reason?

Question 135mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel and wants to create a custom analytics rule to detect failed logon attempts from a specific IP address. The rule should run every hour and look for the event in the SecurityEvent table. However, the rule never triggers even though the events exist. What is the most likely cause?

Question 136mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO actions can you perform using Microsoft Defender for Cloud's 'Security Alerts' page?

Question 137hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE features are part of Microsoft Defender XDR (formerly Microsoft 365 Defender) integration with Microsoft Sentinel?

Question 138easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO Microsoft Defender for Cloud plans specifically provide threat detection for Azure Storage?

Question 139mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team receives an alert from Microsoft Defender for Cloud indicating 'Suspicious PowerShell script detected' on a virtual machine. The VM is running a critical application, and you need to investigate without disrupting the service. Which action should you take first?

Question 140easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to configure Microsoft Defender for Cloud to automatically remediate misconfigurations in Azure resources. Which feature should you enable?

Question 141hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to detect threats across Azure, AWS, and on-premises environments. You need to create an analytics rule that will generate an incident when more than 10 failed logon attempts occur within 5 minutes from the same source IP. Which rule type should you use?

Question 142mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company deploys a new Azure application gateway with WAF policy in prevention mode. After deployment, users report that legitimate traffic is being blocked. You need to identify which WAF rules are causing the blocks without affecting the security posture. What should you do?

Question 143easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Defender for Cloud for a multi-subscription environment. You need to ensure that security alerts are aggregated in a central location and that a single team can manage recommendations across all subscriptions. What should you use?

Question 144hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You receive a Microsoft Defender for Cloud recommendation: 'Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters'. The recommendation is marked as 'Unhealthy' for your AKS cluster. However, you have already installed the Azure Policy add-on. What is the most likely cause?

Question 145mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security operations center (SOC) uses Microsoft Sentinel. You need to ensure that an incident is automatically created when a specific type of alert fires from Microsoft Defender for Cloud. What is the most efficient way to configure this?

Question 146easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You need to enable Microsoft Defender for Cloud's enhanced security features for an Azure subscription. Which of the following is required?

Question 147hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to monitor hybrid environments. You have a Log Analytics workspace that collects Windows security events. You need to create an analytics rule that triggers when a user account is created on any server, but you only want to generate an incident if the account creation occurs outside of business hours (9 AM - 5 PM). How should you configure the rule query?

Question 148mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO actions can be performed using Microsoft Defender for Cloud's 'Regulatory Compliance' dashboard?

Question 149hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE components are required to enable Microsoft Defender for Cloud's just-in-time (JIT) VM access?

Question 150easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO types of data can Microsoft Sentinel ingest from Microsoft Defender XDR?

Question 151mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You notice that a critical recommendation 'Vulnerabilities in virtual machines should be remediated' is showing a healthy status of 0% compliance. Which action should you take first to enable vulnerability assessment for all VMs?

Question 152hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization runs a critical application on an Azure VM that generates sensitive data. You need to ensure that only approved applications can execute on the VM to prevent malware. You have Microsoft Defender for Cloud enabled with the Defender for Servers plan P2. Which feature provides application control without requiring custom rules?

Question 153easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are evaluating Microsoft Defender for Cloud's cloud security posture management (CSPM) capabilities. You need to identify misconfigurations across your Azure, AWS, and GCP environments. What should you enable?

Question 154mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security analyst reports that a high-priority alert in Microsoft Sentinel for 'Malware detected on VM' was closed without investigation. You need to ensure that all alerts of severity High and above cannot be closed without adding a comment. What should you configure in Sentinel?

Question 155hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing a policy assignment in Microsoft Defender for Cloud that deploys the Log Analytics agent to Azure VMs. The policy uses 'DeployIfNotExists' effect and specifies a workspace. However, newly created VMs are not showing the agent installed. What is the most likely cause?

Exhibit

{
  "properties": {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12345678-1234-1234-1234-123456789012",
    "parameters": {
      "effect": {
        "value": "DeployIfNotExists"
      },
      "workspaceId": {
        "value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"
      }
    }
  }
}
Question 156easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has multiple Azure subscriptions and wants to use Microsoft Sentinel as a SIEM. You need to collect security events from all Azure VMs, including existing and future ones. What should you use?

Question 157mediummultiple choice
Read the full NAT/PAT explanation →

You are configuring Microsoft Sentinel to detect a new type of ransomware that encrypts files and changes file extensions. You need to create a detection rule that generates an incident when the same pattern of file changes occurs on multiple hosts within a short time. Which rule type should you use?

Question 158hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You receive a recommendation that 'SQL databases should have vulnerability findings resolved'. You run a vulnerability assessment scan and find a high-severity finding about a missing firewall rule. How should you resolve this finding?

Question 159mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team wants to use Microsoft Sentinel to investigate a compromised user account. They need to see the user's recent sign-in activity, Azure AD audit logs, and related alerts in a single dashboard. What feature in Sentinel should they use?

Question 160mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO actions should you take to integrate on-premises servers with Microsoft Defender for Cloud for unified security management? (Choose two.)

Question 161hardmulti select
Read the full Ansible explanation →

Which THREE are valid ways to trigger a playbook in Microsoft Sentinel? (Choose three.)

Question 162easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO security controls are automatically provided by enabling Microsoft Defender for Cloud's foundational CSPM (Cloud Security Posture Management) capabilities? (Choose two.)

Question 163hardmultiple choice
Read the full NAT/PAT explanation →

You are a security engineer for a multinational company with 5000 Azure VMs across multiple subscriptions. You have deployed Microsoft Sentinel to ingest logs from all VMs via the Log Analytics agent. You need to create a detection rule that identifies potential cryptocurrency mining activity based on network traffic patterns. The rule should trigger an incident when any single VM communicates with a known mining pool IP address over port 3333, 4444, or 8333 within a 5-minute window. Additionally, to reduce noise, the rule should only trigger if the same VM sends more than 10 such connections in that window. You have a custom KQL function that extends the CommonSecurityLog table with an 'IsMiningPool' boolean column. Which of the following approaches should you use to create the rule?

Question 164mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to secure a multi-subscription environment. You have a subscription named 'Prod' that hosts critical applications. The security team requires that any new resource group created in the Prod subscription must automatically be protected by Microsoft Defender for Cloud at the 'Defender for Servers' plan P2 level. You need to implement a solution that ensures this compliance without manual intervention. You consider using Azure Policy, Azure Blueprints, or management group settings. Which option should you choose?

Question 165easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has a hybrid environment with Azure resources and on-premises servers. You have deployed Microsoft Sentinel and connected it to Azure AD, Azure Activity Logs, and Windows Security Events from on-premises servers via the Log Analytics gateway. You need to create a workbook that shows the number of sign-ins from each country over the last 24 hours. The data source is the SigninLogs table. However, the workbook does not display any data. You verify that the Log Analytics workspace is receiving sign-in logs from Azure AD. Which of the following is the most likely reason the workbook shows no data?

Question 166mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP resources. You need to ensure that all resources are assessed against a consistent set of security standards. What should you configure first?

Question 167hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are reviewing a custom Azure Policy definition that will be assigned to a subscription to audit storage accounts and Cosmos DB accounts. The policy is intended to check whether these resources use customer-managed keys (CMK) for encryption. However, when you test the policy assignment, it does not evaluate Cosmos DB accounts. What is the most likely reason?

Exhibit

{
  "properties": {
    "policyType": "Custom",
    "mode": "All",
    "displayName": "Ensure sensitive data is encrypted with customer-managed keys",
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          }
        ]
      },
      "then": {
        "effect": "auditIfNotExists",
        "details": {
          "type": "Microsoft.Storage/storageAccounts/encryption",
          "existenceCondition": {
            "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
            "equals": "Microsoft.Keyvault"
          }
        }
      }
    },
    "parameters": {}
  }
}
Question 168easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team has deployed Microsoft Sentinel. They need to create an analytics rule that uses a custom KQL query to detect failed logon attempts from a specific IP address range and automatically creates an incident with a severity of 'High'. Which rule type should they use?

Question 169mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) to assess security posture. You notice that a critical recommendation for enabling diagnostic logs on Azure Key Vault is not appearing for a specific subscription. You have confirmed that the subscription is onboarded to Defender for Cloud. What is the most likely cause?

Question 170easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company is using Microsoft Sentinel to monitor security events. You need to ensure that all incidents generated in Sentinel are automatically sent to a third-party ticketing system via a webhook. Which Sentinel feature should you configure?

Question 171hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Cloud to monitor security posture. You notice that the recommendation 'MFA should be enabled on accounts with owner permissions on your subscription' shows a status of 'Unhealthy' for some accounts, but those accounts already have Microsoft Entra Conditional Access policies requiring MFA. What is the most likely reason for the discrepancy?

Question 172mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team is investigating a potential data exfiltration incident. They have identified that a user has been downloading large amounts of data from Azure Blob Storage to an external IP address. You need to create a Microsoft Sentinel analytics rule that triggers when more than 1 GB of data is downloaded from a storage account in a single hour. Which KQL query should be the basis of the rule?

Question 173easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company wants to use Microsoft Defender for Cloud's just-in-time (JIT) VM access to reduce the attack surface. You have enabled JIT for a set of VMs. A security administrator reports that they cannot connect via RDP even after requesting access. What is the most likely cause?

Question 174hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You assign this built-in policy to a resource group containing Linux VMs. The policy is intended to deploy the Log Analytics agent if it is missing. After the assignment, you notice that the policy does not evaluate any VMs and the compliance state is 'Not started'. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Deploy Log Analytics agent for Linux VMs",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/extensions/type",
            "equals": "OmsAgentForLinux"
          },
          "deployment": {
            "properties": {
              "template": { ... },
              "parameters": {
                "workspaceId": {
                  "value": "[parameters('workspaceId')]"
                }
              }
            }
          }
        }
      }
    },
    "parameters": {
      "workspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace ID"
        }
      }
    }
  }
}
Question 175mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization is using Microsoft Sentinel to centralize security data from multiple sources. You need to ensure that data from Azure Active Directory (now Microsoft Entra ID) logs is ingested. Which two of the following should you configure? (Choose two.)

Question 176hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company is implementing Microsoft Defender for Cloud's Security Alerts. You need to ensure that alerts for critical severity are automatically sent to the security operations team via email and also create a ticket in ServiceNow. Which three actions should you take? (Choose three.)

Question 177easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization wants to use Microsoft Sentinel to detect and respond to threats. You need to ensure that Sentinel can ingest data from Azure Firewall logs. Which three components are required? (Choose three.)

Question 178mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud to protect Azure resources. You want to enable the 'Defender for Containers' plan to secure AKS clusters. Which two configurations are necessary? (Choose two.)

Question 179hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company is using Microsoft Sentinel for security operations. You need to create a threat intelligence (TI) feed that allows Sentinel to match indicators from an external source. Which three actions should you take? (Choose three.)

Question 180hardmultiple choice
Read the full DNS explanation →

Your organization has a complex Azure environment with multiple subscriptions, each containing hundreds of VMs and PaaS services. You are responsible for ensuring that all resources are monitored for security threats using Microsoft Defender for Cloud. The environment includes: - Subscription A: Production workloads, requires the highest security posture. - Subscription B: Development environment, has a lower security budget. - Subscription C: Shared services (e.g., DNS, Active Directory). You need to implement the most cost-effective security monitoring solution that meets the following requirements: - All subscriptions must be covered by Defender for Cloud. - Production subscription must have vulnerability assessment for VMs. - Development subscription does not need vulnerability assessment but must have basic CSPM. - Shared services subscription must have advanced threat protection for Azure SQL databases. - You must minimize administrative overhead and ensure that security policies are centrally managed. What should you do?

Question 181mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has a Microsoft Sentinel workspace that ingests logs from multiple sources, including Azure Active Directory (now Microsoft Entra ID), Azure Firewall, and Microsoft 365 Defender. You are asked to create an analytics rule that detects when a user account is deleted from Microsoft Entra ID and then, within 24 hours, a large number of Azure resources are deleted in the same tenant. You have the following requirements: - The rule must use KQL to correlate events across two tables: AuditLogs (for user deletion) and ActivityLogs (for resource deletion). - The rule should trigger an incident only if more than 10 resources are deleted within 24 hours after the user deletion. - The incident severity should be set to 'High'. - The rule should run every hour and look back 24 hours. Which of the following is the correct KQL query for the analytics rule? (Choose the best option.)

Question 182easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with the PCI DSS standard. You have enabled the PCI DSS initiative on the management group. The dashboard shows that some controls are 'Not started' even though you have implemented the required security configurations. You suspect that the assessment might not be running correctly. You need to ensure that the compliance assessments are triggered for all resources. The environment consists of: - 3 subscriptions under a management group. - All subscriptions have Defender for Cloud enabled with the CSPM plan. - The PCI DSS initiative was assigned at the management group level. - Some resources are in regions that do not support certain policy effects. What is the most likely reason for the 'Not started' status?

Question 183mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to monitor for data exfiltration. You have configured a scheduled analytics rule that detects when an external IP address downloads more than 100 MB of data from an Azure Storage account within 5 minutes. The rule triggers, but the incident created has a severity of 'Low', while your team wants it to be 'High' for all such incidents. What should you do?

Question 184hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has a Microsoft Sentinel workspace that ingests logs from Azure AD, Azure Activity, and Azure Firewall. You are investigating an incident where an attacker gained access to a user's credentials and logged in from an unusual location. The sign-in log shows that the user passed MFA. You suspect that the attacker might have used a phishing attack to bypass MFA. Which Microsoft 365 Defender feature should you enable to detect such attacks?

Question 185mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud with the CSPM plan enabled. You need to ensure that all Azure subscriptions have Microsoft Defender for Cloud's auto-provisioning enabled for the Log Analytics agent. Which Azure Policy initiative should you assign?

Question 186hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You have configured Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You notice that sign-in logs for external guest users are not appearing in Sentinel. What is the most likely cause?

Question 187easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your security team wants to use Microsoft Defender for Cloud's 'Just-In-Time (JIT) VM access' to reduce the attack surface. Which Azure policy must be enabled on the subscription to use JIT?

Question 188mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO actions can you perform using Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) feature? (Choose two.)

Question 189hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which THREE Microsoft Defender for Cloud features require Microsoft Defender for Servers Plan 2? (Choose three.)

Question 190easymulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Which TWO data sources can be connected to Microsoft Sentinel using built-in data connectors? (Choose two.)

Question 191mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

What is the primary purpose of this KQL query?

Exhibit

Refer to the exhibit. You are reviewing the following KQL query in Microsoft Sentinel:
```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| summarize Count = count() by AlertName, Severity
| order by Count desc
```
Question 192hardmultiple choice
Read the full Ansible explanation →

You are a security engineer for Contoso Ltd. The company has a hybrid environment with Azure VMs and on-premises servers running Windows Server 2022. You have enabled Microsoft Defender for Cloud's multi-cloud posture management for AWS and GCP. Recently, you deployed Microsoft Sentinel in a Log Analytics workspace named 'ContosoWorkspace'. The security team needs to centralize security alerts from all sources: Azure, on-premises, AWS, and GCP. They also require automated investigation and response for common threats. Specifically, they want to automatically disable a compromised user account when a high-severity alert is generated. You have configured data connectors for Azure Activity, Microsoft Entra ID, and AWS CloudTrail. For on-premises servers, you installed the Azure Monitor Agent (AMA) and enabled Defender for Cloud's plan for servers. For GCP, you are using the GCP Security Command Center connector. The team needs to create a playbook that runs when a high-severity alert from any source is triggered. The playbook should disable the user account in Microsoft Entra ID. You have created a playbook using Azure Logic Apps and granted it the necessary permissions. Which step should you take to ensure the playbook runs automatically when alerts are generated?

Question 193mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team wants to implement a continuous compliance monitoring solution using Microsoft Defender for Cloud's regulatory compliance dashboard. They need to monitor compliance against the 'CIS Microsoft Azure Foundations Benchmark' and 'PCI DSS v3.2.1'. Currently, the subscription has the 'Azure Security Benchmark' initiative assigned. You need to configure the compliance dashboard to show both CIS and PCI DSS standards. The subscription already has Microsoft Defender for Cloud's CSPM plan enabled. You have also enabled the 'Defender for Cloud' plan for servers. What should you do to meet the requirements?

Question 194hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are a security analyst at Fabrikam Inc. You have deployed Microsoft Sentinel and connected it to Microsoft 365 Defender (formerly Microsoft Threat Protection). You have also enabled UEBA and set up analytics rules for detecting suspicious sign-ins. Recently, you noticed that some high-severity incidents from Microsoft 365 Defender are not appearing in Microsoft Sentinel. You have verified that the Microsoft 365 Defender connector is enabled and that incidents are being sent to the workspace. However, the incidents are not being created as Sentinel incidents. What is the most likely reason?

Question 195easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company uses Microsoft Defender for Cloud's 'Vulnerability Assessment' solution for Azure VMs. You have enabled the 'Microsoft Defender for Servers' plan and deployed the integrated Qualys agent. You need to view the vulnerability assessment findings for all VMs in a single dashboard in Microsoft Defender for Cloud. Which blade in the Defender for Cloud portal should you navigate to?

Question 196mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You have a Microsoft Sentinel workspace that ingests data from multiple sources, including Azure Activity, Microsoft Entra ID, and Azure Firewall. You need to create a custom analytics rule that detects when a user signs in from an IP address that has been flagged as malicious in a threat intelligence feed. You have already imported threat intelligence indicators into Sentinel using the 'Threat Intelligence - TAXII' data connector. The threat intelligence indicators are stored in the 'ThreatIntelligenceIndicator' table. Which KQL function should you use in the analytics rule to match sign-in logs against the threat indicators?

Question 197hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Defender for Cloud's 'Workload protections' for a Kubernetes cluster that is already using Azure Kubernetes Service (AKS). The cluster has 'Azure Policy' enabled. You need to enable the 'Microsoft Defender for Containers' plan to protect the cluster. You have already enabled the plan at the subscription level. However, the cluster is not showing as protected in the 'Inventory' blade. You have confirmed that the 'Azure Policy for Kubernetes' add-on is installed. What should you do to ensure the cluster is protected?

Question 198easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel for security operations. You need to create a custom analytics rule that triggers an incident when a user executes a suspicious PowerShell command on a Windows server. The logs are stored in the 'DeviceEvents' table from Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). The rule should run every 5 minutes. Which scheduling frequency and query period should you configure?

Question 199mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are a security engineer for a large enterprise using Microsoft Sentinel. You have multiple workspaces deployed across different Azure regions to meet data residency requirements. You need to query data across all workspaces from a single query. You have set up a workspace as the 'central' workspace for cross-workspace queries. The central workspace has the necessary permissions to access the other workspaces. Which KQL operator should you use to include data from other workspaces in your query?

Question 200hardmultiple choice
Read the full NAT/PAT explanation →

You are the security engineer for a multinational company that uses Azure to host critical workloads. The company has deployed Microsoft Defender for Cloud with the enhanced security features enabled on all subscriptions. Recently, a security audit revealed that several virtual machines (VMs) in the production environment are missing critical security updates. The audit report indicates that the VMs are not being assessed for missing updates by Defender for Cloud. You need to ensure that all VMs are automatically assessed for missing OS updates using Defender for Cloud's vulnerability assessment capabilities. The solution must minimize administrative overhead and should not require manual installation of agents on existing VMs. What should you do?

Question 201mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytics rule that detects when a user account is created in Microsoft Entra ID and then, within 24 hours, that account is granted a privileged role (e.g., Global Administrator). You have set up the necessary data connectors to ingest Microsoft Entra ID audit logs and sign-in logs into Sentinel. The rule should trigger an incident with high severity when this sequence occurs. Which KQL query should you use in the analytics rule?

Question 202easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your company has deployed Microsoft Defender for Cloud in all subscriptions. You need to ensure that all Azure SQL databases are protected by Advanced Threat Protection (ATP). You want to enable ATP at the subscription level so that new databases are automatically protected. The security policy must be enforced to prevent administrators from disabling ATP on individual databases. What should you do?

Question 203mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization uses Microsoft Sentinel to monitor security events. You need to configure automated response actions for incidents. Which TWO of the following can be used to trigger automated responses in Microsoft Sentinel?

Question 204hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are configuring Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The cluster runs sensitive workloads. You need to enable threat detection and vulnerability assessment for the AKS environment. Which THREE of the following should you enable?

Question 205mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Defender for Cloud to protect its hybrid workloads. Security administrators report that critical alerts for SQL servers are not appearing in the Defender for Cloud dashboard. The SQL servers are on-premises and have Azure Arc enabled. Which configuration step should be verified first?

Question 206hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A security operations team uses Microsoft Sentinel to monitor sign-in logs. They receive frequent false positive alerts for 'Anonymous IP address sign-in' from a specific external IP range used by a trusted partner. The analysts want to suppress these alerts without reducing detection coverage. What is the most efficient approach?

Question 207easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company is deploying Microsoft Sentinel in a new Azure subscription. The security team wants to ingest Windows security events from on-premises servers. Which data connector should they use?

Question 208mediummulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Your organization has enabled Microsoft Defender for Cloud on all subscriptions. You need to ensure that the security score is improved by implementing recommendations. Which TWO actions would directly improve the secure score?

Question 209hardmulti select
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel. They want to create an analytics rule that detects excessive failed logons from a single IP address. The rule must run every 5 minutes and look back 1 hour. Which THREE components are required to configure this scheduled query rule?

Question 210hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

Refer to the exhibit. You are assigned a policy that deploys the Log Analytics agent to Linux VMs. After assigning this policy to a subscription, you notice that existing Linux VMs are not getting the agent deployed, but newly created VMs receive the agent. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Deploy Log Analytics agent for Linux VMs",
    "policyType": "BuiltIn",
    "description": "Deploys the Log Analytics agent to Linux virtual machines if the agent is not installed.",
    "parameters": {
      "workspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Workspace ID"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "field": "Microsoft.Compute/virtualMachines/extensions/type",
            "equals": "OmsAgentForLinux"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "resources": [
                  {
                    "name": "[concat(parameters('vmName'), '/OmsAgent')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "location": "[parameters('location')]",
                    "properties": {
                      "publisher": "Microsoft.EnterpriseCloud.Monitoring",
                      "type": "OmsAgentForLinux",
                      "typeHandlerVersion": "1.0",
                      "settings": {
                        "workspaceId": "[parameters('workspaceId')]"
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  }
}
Question 211hardmultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

You are a security architect for a large enterprise with 500 Azure subscriptions organized into a management group hierarchy. The company uses Microsoft Defender for Cloud to assess security posture. The CISO wants a single dashboard view of the secure score across all subscriptions, but with the ability to drill down into individual management groups. You need to recommend a solution that provides this capability with minimal administrative overhead. The company already has Log Analytics workspaces deployed per region. Which approach should you take?

Question 212easymultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Sentinel to centralize security logs. They need to ensure that incidents from Microsoft Defender XDR are synchronized into Sentinel. Which data connector should they enable?

Question 213mediummultiple choice
Read the full Secure using Microsoft Defender for Cloud and Microsoft Sentinel explanation →

A company uses Microsoft Defender for Cloud to protect Azure resources. The security team wants to automatically remediate certain recommendations without manual intervention. They decide to use Azure Policy to enforce secure configurations. Which feature in Defender for Cloud allows them to create policy assignments directly from the recommendation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-500 Practice Test 1 — 10 Questions→AZ-500 Practice Test 2 — 10 Questions→AZ-500 Practice Test 3 — 10 Questions→AZ-500 Practice Test 4 — 10 Questions→AZ-500 Practice Test 5 — 10 Questions→AZ-500 Practice Exam 1 — 20 Questions→AZ-500 Practice Exam 2 — 20 Questions→AZ-500 Practice Exam 3 — 20 Questions→AZ-500 Practice Exam 4 — 20 Questions→Free AZ-500 Practice Test 1 — 30 Questions→Free AZ-500 Practice Test 2 — 30 Questions→Free AZ-500 Practice Test 3 — 30 Questions→AZ-500 Practice Questions 1 — 50 Questions→AZ-500 Practice Questions 2 — 50 Questions→AZ-500 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networking

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel setsAll Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questionsAZ-500 Practice Hub