CCNA Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel Questions

75 of 213 questions · Page 1/3 · Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel · Answers revealed

1
MCQhard

Your organization is using Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for all existing and future Azure SQL databases in a subscription. The solution must minimize administrative effort. What should you do?

A.Configure Microsoft Sentinel to monitor Azure SQL databases.
B.Enable the Azure SQL databases plan in Microsoft Defender for Cloud at the subscription level.
C.Create an Azure Policy to deploy Advanced Threat Protection on Azure SQL databases.
D.Enable Advanced Threat Protection on each Azure SQL database individually.
AnswerB

Correct. Enabling the plan at the subscription level applies to all current and future resources.

Why this answer

Option B is correct because enabling Defender for Cloud at the subscription level with the SQL servers on machines plan (or Azure SQL databases plan) will automatically enable ATP for all supported resources, including future ones. Option A is wrong because enabling per database is not scalable. Option C is wrong because Azure Policy can be used but is not the most efficient direct method.

Option D is wrong because Microsoft Sentinel is not for enabling ATP.

2
MCQhard

Your organization has a complex Azure environment with multiple subscriptions, each containing hundreds of VMs and PaaS services. You are responsible for ensuring that all resources are monitored for security threats using Microsoft Defender for Cloud. The environment includes: - Subscription A: Production workloads, requires the highest security posture. - Subscription B: Development environment, has a lower security budget. - Subscription C: Shared services (e.g., DNS, Active Directory). You need to implement the most cost-effective security monitoring solution that meets the following requirements: - All subscriptions must be covered by Defender for Cloud. - Production subscription must have vulnerability assessment for VMs. - Development subscription does not need vulnerability assessment but must have basic CSPM. - Shared services subscription must have advanced threat protection for Azure SQL databases. - You must minimize administrative overhead and ensure that security policies are centrally managed. What should you do?

A.Enable all Defender plans on the management group to cover all subscriptions, then disable vulnerability assessment on Subscription B via policy.
B.Enable the 'Defender Cloud Security Posture Management' (CSPM) plan on the management group that contains all subscriptions. Then, on Subscription A, enable the 'Defender for Servers' plan with vulnerability assessment. On Subscription C, enable the 'Defender for Azure SQL' plan. Leave Subscription B with only the CSPM plan.
C.Enable the 'Defender for Servers' plan on Subscription A, 'Defender for Azure SQL' on Subscription C, and disable Defender for Cloud on Subscription B.
D.Enable only the free tier of Defender for Cloud on all subscriptions, then manually configure vulnerability assessment for VMs in Subscription A and advanced threat protection for SQL in Subscription C.
AnswerB

CSPM provides basic posture management; specific plans can be added per subscription.

Why this answer

Option A is correct because enabling the Defender CSPM plan provides basic CSPM and allows enabling specific plans per subscription. Option B is wrong because enabling all plans on Subscription A is not cost-effective for Dev. Option C is wrong because using only free tier does not meet the vulnerability assessment requirement.

Option D is wrong because disabling Defender for Cloud on Dev is not allowed; they need basic CSPM.

3
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Defender for Cloud's 'Regulatory Compliance' dashboard?

Select 2 answers
A.Upload evidence documents for manual controls.
B.Automatically remediate non-compliant resources.
C.View compliance score against a specific regulatory standard.
D.Configure continuous export of compliance data.
E.Integrate with third-party GRC tools directly from the dashboard.
AnswersA, C

Dashboard allows uploading evidence for manual controls.

Why this answer

Options A and D are correct. The dashboard shows compliance against standards and allows manual evidence upload. Option B is wrong because remediation is done via policy.

Option C is wrong because continuous export is a separate setting. Option E is wrong because the dashboard doesn't directly integrate with external tools.

4
MCQmedium

Refer to the exhibit. You are reviewing a custom Azure Policy definition used in Microsoft Defender for Cloud. The policy is intended to deploy a vulnerability assessment solution on SQL Managed Instances that do not have one. However, the policy is not being evaluated for any resources. What is the most likely reason?

A.The policy type is set to 'Custom' instead of 'BuiltIn'.
B.The role definition ID specified in the deployment details does not have the necessary permissions to deploy the vulnerability assessment.
C.The resource type in the policy condition is incorrect.
D.The policy condition checks for the existence of vulnerability assessment, but it should check for non-existence.
AnswerB

DeployIfNotExists requires a managed identity with appropriate roles; incorrect role ID would cause failure.

Why this answer

Option C is correct because the policy uses 'DeployIfNotExists' effect, which requires a managed identity with permissions to deploy the vulnerability assessment. The roleDefinitionIds must grant the necessary permissions. If the role definition ID is incorrect or the managed identity does not have permissions, the policy will not deploy.

Option A is wrong because the policy condition checks for the absence of vulnerability assessment, so it should apply. Option B is wrong because the policy type is Custom, but custom policies can be assigned. Option D is wrong because the policy uses 'Microsoft.Sql/managedInstances' which is correct.

5
MCQhard

Your security operations center (SOC) uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user signs in from a country not in the allowed list and then accesses a high-value SharePoint site within 10 minutes. The rule should generate an incident only if both conditions occur. Which KQL operator should you use in the rule query?

A.summarize
B.join
C.union
D.where
AnswerB

Correct: join can combine sign-in and SharePoint access events on user and time.

Why this answer

Option C is correct because 'join' allows combining two event streams on a common key (e.g., user ID) and time window. Option A is wrong because 'union' combines rows, not conditionally. Option B is wrong because 'summarize' aggregates.

Option D is wrong because 'where' filters a single table.

6
MCQeasy

You are configuring Microsoft Sentinel data connectors. Which data connector should you use to ingest logs from Microsoft Entra ID (Azure AD) audit logs and sign-in logs?

A.Office 365 connector
B.Microsoft Defender XDR connector
C.Azure Activity connector
D.Microsoft Entra ID connector
AnswerD

This connector ingests audit and sign-in logs from Microsoft Entra ID.

Why this answer

Option C is correct because the Microsoft Entra ID connector in Sentinel specifically ingests audit logs and sign-in logs. Option A is wrong because the Azure Activity connector ingests Azure resource logs, not Entra ID logs. Option B is wrong because the Office 365 connector ingests Exchange and SharePoint logs.

Option D is wrong because the Microsoft Defender XDR connector ingests security alerts from Defender products.

7
Multi-Selecthard

Which THREE are valid data connectors in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Microsoft Defender for Cloud
B.Azure Firewall Manager
C.Amazon Web Services (AWS)
D.Azure Active Directory (now Microsoft Entra ID)
E.Syslog
AnswersC, D, E

AWS CloudTrail can be connected via the AWS connector.

Why this answer

Amazon Web Services (AWS) is a valid data connector in Microsoft Sentinel because Sentinel supports ingesting logs from AWS CloudTrail via the AWS S3 connector. This allows security events from AWS environments to be collected, normalized, and analyzed alongside Azure-native data, enabling multi-cloud threat detection and investigation.

Exam trap

The trap here is that candidates often confuse Azure Firewall Manager with the actual Azure Firewall data connector, or they mistakenly think Microsoft Defender for Cloud is a connector when it is actually a source of security alerts that are ingested through separate connectors.

8
Multi-Selecteasy

Which TWO features are available in Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) capabilities? (Choose two.)

Select 2 answers
A.Attack path analysis
B.Security governance and compliance scoring
C.Just-in-time VM access
D.User and Entity Behavior Analytics (UEBA)
E.Vulnerability assessment for VMs
AnswersA, B

Attack path analysis is a CSPM feature that identifies critical risks and attack paths.

Why this answer

Options A and D are correct. CSPM includes attack path analysis and security governance. Option B is wrong because vulnerability assessment is part of workload protection.

Option C is wrong because JIT access is a workload protection feature. Option E is wrong because UEBA is part of Microsoft Sentinel or Defender for Identity.

9
Multi-Selecthard

Your company is using Microsoft Sentinel for security operations. You need to create a threat intelligence (TI) feed that allows Sentinel to match indicators from an external source. Which three actions should you take? (Choose three.)

Select 3 answers
A.Create a watchlist containing the indicators.
B.Enable the Fusion rule to correlate TI indicators with other events.
C.Upload threat intelligence indicators using the Threat Intelligence API or portal.
D.Enable the 'Threat Intelligence - TAXII' data connector to receive indicators from external sources.
E.Configure an analytics rule with a TI mapping to generate alerts.
AnswersC, D, E

Indicators are added to Sentinel's TI.

Why this answer

Options A, C, and D are correct. Option A is correct because TI indicators must be ingested into Sentinel's TI. Option C is correct because analytics rules can be configured to match TI.

Option D is correct because the TI data connector is used for ingestion. Option B is wrong because watchlists are for reference data, not TI. Option E is wrong because Fusion rules are for correlation, not TI matching.

10
MCQhard

You are reviewing the Azure Policy definition shown in the exhibit. This policy is assigned to a subscription. Several VMs are non-compliant. What is the most likely reason for the non-compliance?

A.The VMs are not backed up to Azure Backup.
B.The VMs do not have the Azure Disk Encryption extension installed.
C.The VMs have encryption at host enabled but not Azure Disk Encryption.
D.The VMs are missing critical Windows security patches.
AnswerB

Correct. The policy audits for the presence of the AzureDiskEncryption extension on VMs without encryption settings.

Why this answer

Option C is correct because the policy audits if Azure Disk Encryption is not enabled on VMs without encryption settings. The condition checks if encryptionSettings does not exist, and then expects the AzureDiskEncryption extension. If the extension is missing, the VM is non-compliant.

Option A is wrong because the policy does not check for Windows patch status. Option B is wrong because the policy does not check for encryption at host. Option D is wrong because the policy is about disk encryption, not backup.

11
MCQmedium

You are using Microsoft Defender for Cloud to protect Azure Kubernetes Service (AKS) clusters. You need to receive alerts about suspicious activities within the cluster, such as privilege escalations. What should you enable?

A.Microsoft Defender for Containers
B.Microsoft Sentinel with AKS data connector
C.Azure Policy for AKS
D.Azure Security Center (classic)
AnswerA

Provides threat detection and alerts for AKS clusters.

Why this answer

Option A is correct because Microsoft Defender for Containers provides threat detection for AKS clusters, including privilege escalation alerts. Option B is wrong because Azure Policy for AKS enforces security configurations but does not generate alerts. Option C is wrong because Microsoft Sentinel is a separate SIEM that can ingest logs but is not the primary alerting mechanism within Defender for Cloud.

Option D is wrong because Azure Security Center, now Defender for Cloud, includes container protections.

12
MCQeasy

You need to ensure that security alerts from Microsoft Defender for Cloud are sent to a central SIEM system. What should you configure?

A.Create a playbook that forwards alerts to the SIEM
B.Configure diagnostic settings for the subscription
C.Assign an Azure Policy to export alerts
D.Enable continuous export to Event Hubs
AnswerD

Continuous export streams alerts to Event Hubs for SIEM integration.

Why this answer

Option A is correct because continuous export allows streaming alerts to Event Hubs for integration with SIEMs. Option B is wrong because diagnostic settings are for logs, not alerts. Option C is wrong because playbooks are for response, not export.

Option D is wrong because Azure Policy is for governance.

13
MCQeasy

You run the PowerShell command shown in the exhibit. After execution, you check the Log Analytics workspace in the Azure portal. The workspace is created successfully. However, when you try to onboard the workspace to Microsoft Sentinel, you receive an error that Sentinel cannot be enabled on this workspace. What is the most likely cause?

A.The SKU is set to PerGB2018, which is not compatible with Sentinel.
B.The resource group location is different from the workspace location.
C.The workspace is in a region that does not support Microsoft Sentinel.
D.The retention period is set to 365 days, which exceeds the maximum for Sentinel.
AnswerC

Correct. Sentinel is not available in all regions.

Why this answer

Option C is correct because Sentinel requires the Log Analytics workspace to be on a Pay-as-you-go (PerGB2018) pricing tier, but it also requires the workspace to be in a supported region. If the region is not supported, Sentinel cannot be enabled. Option A is wrong because the retention is set to 365 days, which is fine.

Option B is wrong because the PerGB2018 tier is correct. Option D is wrong because resource group location does not affect Sentinel enablement.

14
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP resources. You need to ensure that all resources are assessed against a consistent set of security standards. What should you configure first?

A.In Defender for Cloud, add a regulatory compliance standard such as 'Azure CIS 1.4.0' and enable continuous export for all connected clouds.
B.Connect the AWS and GCP accounts to AWS Security Hub and Google Security Command Center respectively, then enable Defender for Cloud's multicloud connector.
C.Create Azure Policy initiatives and assign them to the management groups that contain the multicloud resources.
D.Configure Microsoft Sentinel to ingest security findings from AWS and GCP, then create custom alerts for compliance deviations.
AnswerA

Defender for Cloud supports applying Azure compliance standards to multicloud resources via connectors.

Why this answer

Option B is correct because regulatory compliance standards such as Azure CIS 1.4.0 can be applied across multicloud resources in Defender for Cloud. Option A is wrong because AWS Security Hub is a separate service, not integrated natively. Option C is wrong because Azure Policy is for Azure-only.

Option D is wrong because Microsoft Sentinel is for SIEM, not compliance standards.

15
MCQhard

Refer to the exhibit. You are reviewing a scheduled analytics rule in Microsoft Sentinel that uses the KQL query shown. The rule is configured to run every hour. A security analyst reports that the rule is generating too many incidents. What is the most likely cause?

A.The rule is configured to run too frequently.
B.The query does not filter out known safe IP addresses sufficiently.
C.The query uses 'ago(1h)' which includes data from the previous hour, causing duplicate incidents.
D.The query has a syntax error that causes all sign-ins to match.
AnswerB

Only two IPs are excluded, so many legitimate disabled account sign-ins cause incidents.

Why this answer

Option B is correct because the query filters sign-in attempts from disabled accounts (ResultType 50057) in the last hour, but it only excludes two specific IP addresses. This means all other IP addresses (including legitimate ones) will trigger incidents, leading to many false positives. Option A is wrong because the query runs every hour, not too frequently.

Option C is wrong because the query is valid. Option D is wrong because the query already filters by time.

16
MCQmedium

Your organization uses Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) to assess security posture. You notice that a critical recommendation for enabling diagnostic logs on Azure Key Vault is not appearing for a specific subscription. You have confirmed that the subscription is onboarded to Defender for Cloud. What is the most likely cause?

A.The Log Analytics workspace linked to Defender for Cloud does not contain the Key Vault diagnostics schema.
B.Diagnostic logs are disabled by default in the Azure subscription's activity log settings.
C.The subscription is not enrolled in the Defender Cloud Security Posture Management (CSPM) plan.
D.Key Vault does not support diagnostic logs; therefore, the recommendation is not applicable.
AnswerC

The CSPM plan must be enabled to get full recommendations.

Why this answer

Option A is correct because if the subscription is not using the Defender Cloud Security Posture Management (CSPM) plan, some recommendations may be missing. Option B is wrong because diagnostic logs are not disabled by default in the subscription. Option C is wrong because the recommendation is not based on Log Analytics.

Option D is wrong because Key Vault diagnostics are a standard recommendation.

17
MCQmedium

Refer to the exhibit. A Microsoft Sentinel analytics rule uses this KQL query. What is the primary purpose of this rule?

A.Detect users who have never signed in from the US before.
B.Detect users with multiple risky sign-ins from non-US countries.
C.Detect impossible travel patterns between the US and other countries.
D.Detect users whose sign-in count is higher than the average for their region.
AnswerB

The query counts risky sign-ins from non-US countries per user and alerts if more than 3.

Why this answer

Option B is correct because the query filters for risky sign-ins from countries other than the US, and then counts them per user; limiting to >3 detects users with multiple risky sign-ins from non-US countries. Option A is wrong because it doesn't compare to previous behavior. Option C is wrong because it doesn't compare to other users.

Option D is wrong because it doesn't look for impossible travel.

18
MCQmedium

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

A.To list all alerts with severity 'High' in the last 7 days.
B.To list the top 10 most frequent alert names along with their severity over the last 7 days.
C.To list all alerts generated in the last 7 days.
D.To list the count of alerts per severity for the last 7 days.
AnswerB

The query groups by name and severity and shows top 10 by count.

Why this answer

Option A is correct because the query summarizes the count of alerts by AlertName and AlertSeverity and returns the top 10 by count descending. Option B is wrong because the query does not filter by severity. Option C is wrong because it returns top 10, not all.

Option D is wrong because it does not filter by time beyond the initial 7 days.

19
MCQhard

Your company uses Microsoft Sentinel to correlate data from multiple sources. You need to create an analytics rule that triggers an incident when a user signs in from an unfamiliar location and then performs a high-risk action in Azure. What is the best approach?

A.Run a custom anomaly detection job
B.Create a Scheduled analytics rule with a KQL query
C.Create a Near-Real-Time (NRT) analytics rule
D.Create a Fusion analytics rule
AnswerD

Fusion rules correlate multiple alerts from different sources.

Why this answer

Option A is correct because the best approach is to create a fusion rule, which uses machine learning to correlate multiple signals like unfamiliar sign-in and Azure activity. Option B is wrong because scheduled query rules require writing KQL and can correlate but fusion is simpler for this scenario. Option C is wrong because NRT rules are for near-real-time single events.

Option D is wrong because anomaly rules detect outliers but not multi-step correlation.

20
MCQmedium

Your company uses Microsoft Sentinel to monitor Azure resources. A new analytics rule is created to detect anomalous access to storage accounts. The rule runs every 5 minutes and looks at the last 15 minutes of data. After deploying, the rule generates no alerts even though you suspect there are anomalies. What is the most likely issue?

A.The rule is not enabled.
B.The rule query logic is incorrect or the entities are not properly mapped.
C.The rule severity is set too low.
D.The rule query frequency is longer than the data lookback period.
AnswerB

If the query does not match the data or entity mapping is wrong, alerts may not be generated.

Why this answer

Option B is correct because the query runs every 5 minutes looking at 15 minutes of data, so there is overlap and data should be captured; however, the rule may be misconfigured with an incorrect query or entities. Option A is wrong because the query frequency and data lookback are compatible. Option C is wrong because the rule is enabled.

Option D is wrong because rule severity does not affect alert generation.

21
MCQmedium

Your company uses Microsoft Defender for Cloud to secure its Azure resources. The security team receives alerts about a potential brute-force attack on a Linux virtual machine. You need to verify whether the attack was successful and take immediate remediation actions. Which two Defender for Cloud features should you use together?

A.Configure adaptive application controls to whitelist allowed applications
B.Enable vulnerability assessment and review the findings
C.Enable Just-in-Time (JIT) VM access for the affected VM
D.Enable Azure DDoS Protection on the virtual network
E.Use File Integrity Monitoring (FIM) to check for changes to system files
AnswerC, E

JIT blocks unauthorized access attempts by restricting inbound traffic to specific IPs and ports, preventing brute-force attacks.

Why this answer

Option B is correct because Just-in-Time VM access can block brute-force attempts by allowing only authorized IPs and ports. Option C is correct because the File Integrity Monitoring (FIM) feature can detect changes to critical system files, indicating a successful compromise. Option A is wrong because vulnerability assessment is for checking known vulnerabilities, not real-time attack verification.

Option D is wrong because adaptive application controls whitelist applications, not directly related to brute-force detection. Option E is wrong because Azure DDoS Protection is for network-level DDoS, not brute-force attacks.

22
MCQhard

Your organization uses Microsoft Sentinel to monitor hybrid environments. You have a Log Analytics workspace that collects Windows security events. You need to create an analytics rule that triggers when a user account is created on any server, but you only want to generate an incident if the account creation occurs outside of business hours (9 AM - 5 PM). How should you configure the rule query?

A.Use SecurityEvent where EventID = 4720 and TimeGenerated !between (9:00 and 17:00).
B.Use SecurityEvent where AccountCreated and TimeGenerated !between (9:00 and 17:00).
C.Use SecurityEvent where AccountCreated and TimeGenerated between 9:00 and 17:00.
D.Use SecurityEvent where AccountCreated and then schedule the rule to run only during non-business hours.
AnswerB

This filters events outside business hours.

Why this answer

Option C is correct because the query filters events where the hour is not between 9 and 17 (24-hour format). Option A is wrong because it would trigger for any time. Option B is wrong because it filters for business hours only.

Option D is wrong because it uses a different event ID.

23
MCQmedium

Your organization has multiple Azure subscriptions managed by Microsoft Defender for Cloud. You need to ensure that all subscriptions have the same security policies applied, and that any new subscription automatically inherits these policies. What should you do?

A.Create an Azure Blueprint and assign it to each subscription
B.Assign a policy initiative to a resource group and then move subscriptions into that group
C.Assign a policy initiative to each subscription individually
D.Assign a policy initiative at the management group level
AnswerD

Subscriptions inherit policies from their management group, including new ones.

Why this answer

Option B is correct because assigning a policy initiative at the management group level ensures all subscriptions under that group inherit the policy, including new ones. Option A is wrong because assigning at the subscription level would require manual assignment for each subscription and won't automatically apply to new ones. Option C is wrong because Azure Blueprints are being deprecated and are not the recommended approach.

Option D is wrong because Azure Policy does not support inheritance from a resource group to a subscription.

24
MCQmedium

Your security team is investigating a potential data exfiltration incident. They have identified that a user has been downloading large amounts of data from Azure Blob Storage to an external IP address. You need to create a Microsoft Sentinel analytics rule that triggers when more than 1 GB of data is downloaded from a storage account in a single hour. Which KQL query should be the basis of the rule?

A.StorageBlobLogs | where OperationName == 'GetBlob' | summarize TotalGB = sum(ResponseBodySize) / 1073741824 by bin(TimeGenerated, 1h) | where TotalGB > 1
B.StorageBlobLogs | where OperationName == 'GetBlob' | summarize avg(ResponseBodySize) by bin(TimeGenerated, 1h) | where avg_ResponseBodySize > 1073741824
C.StorageBlobLogs | where OperationName == 'GetBlob' and ResponseBodySize > 1073741824
D.StorageBlobLogs | where OperationName == 'GetBlob' | summarize count() by bin(TimeGenerated, 1h) | where count_ > 1000
AnswerA

Correctly sums total size in GB and filters correctly.

Why this answer

Option D is correct because it sums the response body size in bytes and converts to GB, then filters above 1 GB. Option A is wrong because it uses average instead of sum. Option B is wrong because it uses count instead of sum.

Option C is wrong because it only checks if any single operation exceeds 1 GB.

25
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Defender for Cloud's workload protection plans?

Select 3 answers
A.Adaptive application controls
B.DDoS protection
C.Data Loss Prevention (DLP)
D.File Integrity Monitoring (FIM)
E.Just-in-time (JIT) VM access
AnswersA, D, E

Adaptive application controls whitelist applications.

Why this answer

Options A, B, and D are correct. Option A is correct because Just-in-time VM access is a feature. Option B is correct because file integrity monitoring is included.

Option D is correct because adaptive application controls are part of workload protection. Option C is wrong because DDoS protection is a separate service. Option E is wrong because data loss prevention is part of Microsoft Purview.

26
MCQeasy

You are responsible for securing an Azure environment using Microsoft Defender for Cloud. You need to reduce the number of false positive security alerts for a specific Azure SQL Database. The database is regularly scanned by a legitimate security tool that generates alerts. What should you do?

A.Disable the security alert rule for SQL databases in Defender for Cloud.
B.Exclude the database from the vulnerability assessment solution.
C.Create a suppression rule for the specific alert type and source IP address.
D.Modify the Azure SQL Database firewall rules to allow the scanning tool's IP.
AnswerC

Suppression rules allow targeted suppression based on alert properties.

Why this answer

Option C is correct because creating a suppression rule in Defender for Cloud allows you to suppress alerts based on specific criteria like IP address or alert title, reducing false positives. Option A is wrong because disabling the alert rule would miss real threats. Option B is wrong because excluding the database from vulnerability assessment would also miss real vulnerabilities.

Option D is wrong because modifying the firewall rules is not related to alert suppression.

27
MCQmedium

Your security operations center (SOC) uses Microsoft Sentinel. You need to ensure that an incident is automatically created when a specific type of alert fires from Microsoft Defender for Cloud. What is the most efficient way to configure this?

A.Create a playbook that triggers on alert and generates an incident via API.
B.Configure the Microsoft Defender for Cloud data connector in Sentinel and enable incident creation.
C.Design a workbook to monitor alerts and manually create incidents.
D.Write a scheduled analytics rule that queries Defender for Cloud logs.
AnswerB

Data connectors automatically create incidents from alerts.

Why this answer

Option A is correct because the data connector for Microsoft Defender for Cloud ingests alerts and automatically creates incidents based on the analytics rule. Option B is wrong because a playbook runs after incident creation, not before. Option C is wrong because a workbook is for visualization.

Option D is wrong because a scheduled rule queries logs but doesn't directly connect to Defender alerts.

28
MCQhard

Your organization is migrating to Azure and needs to protect against advanced threats like fileless malware. You must use a solution that provides real-time protection and integrates with Microsoft Defender for Cloud. What should you deploy on Azure VMs?

A.Microsoft Antimalware for Azure
B.Microsoft Defender for Endpoint (Microsoft Defender XDR)
C.Azure Monitor Agent (AMA)
D.Azure Security Center (free tier)
AnswerB

Defender for Endpoint provides real-time protection against fileless malware.

Why this answer

Option B is correct because Microsoft Defender for Endpoint (now part of Defender XDR) provides real-time protection and integrates with Defender for Cloud. Option A is wrong because AMA is an agent, not a security solution. Option C is wrong because Microsoft Antimalware does not cover fileless malware.

Option D is wrong because Azure Security Center is the same as Defender for Cloud, not an endpoint protection.

29
MCQmedium

Your company has a Microsoft Sentinel workspace that ingests logs from multiple sources, including Azure Active Directory (now Microsoft Entra ID), Azure Firewall, and Microsoft 365 Defender. You are asked to create an analytics rule that detects when a user account is deleted from Microsoft Entra ID and then, within 24 hours, a large number of Azure resources are deleted in the same tenant. You have the following requirements: - The rule must use KQL to correlate events across two tables: AuditLogs (for user deletion) and ActivityLogs (for resource deletion). - The rule should trigger an incident only if more than 10 resources are deleted within 24 hours after the user deletion. - The incident severity should be set to 'High'. - The rule should run every hour and look back 24 hours. Which of the following is the correct KQL query for the analytics rule? (Choose the best option.)

A.AuditLogs | where OperationName == 'Delete user' | extend DeletionTime = TimeGenerated | join kind=inner (ActivityLogs | where OperationName == 'Delete resource') on UserPrincipalName | where TimeGenerated between (DeletionTime .. DeletionTime + 24h) | summarize ResourceCount = count() by UserPrincipalName | where ResourceCount > 10
B.AuditLogs | where OperationName == 'Delete user' | join kind=inner (ActivityLogs) on $left.Caller == $right.Caller | where TimeGenerated < ActivityLogs_TimeGenerated and TimeGenerated + 24h > ActivityLogs_TimeGenerated | summarize ResourceCount = count() by UserPrincipalName | where ResourceCount > 10
C.AuditLogs | where OperationName == 'Delete user' | join kind=inner (ActivityLogs | where OperationName == 'Delete resource') on Caller | where TimeGenerated + 24h > ActivityLogs_TimeGenerated | summarize ResourceCount = count() by Caller | where ResourceCount > 10
D.let deletionTime = AuditLogs | where OperationName == 'Delete user' | project DeletionTime = TimeGenerated, UserPrincipalName; deletionTime | join kind=inner (ActivityLogs | where OperationName == 'Delete resource') on UserPrincipalName | where ActivityLogs_TimeGenerated between (DeletionTime .. DeletionTime + 24h) | summarize ResourceCount = count() by UserPrincipalName | where ResourceCount > 10
AnswerD

Correctly defines deletion time and joins with resource deletions within 24h.

Why this answer

Option B is correct because it uses 'let' to define the user deletion time, then joins with ActivityLogs to count resource deletions within 24 hours. Option A is wrong because it does not filter for resource deletion operations. Option C is wrong because it uses 'summarize' incorrectly.

Option D is wrong because it does not handle the time window correctly.

30
MCQhard

Your company has a Microsoft Sentinel workspace that ingests logs from Azure AD, Azure Activity, and Azure Firewall. You are investigating an incident where an attacker gained access to a user's credentials and logged in from an unusual location. The sign-in log shows that the user passed MFA. You suspect that the attacker might have used a phishing attack to bypass MFA. Which Microsoft 365 Defender feature should you enable to detect such attacks?

A.Microsoft Defender for Office 365's anti-phishing policies.
B.Microsoft Entra Conditional Access policies with session control.
C.Microsoft Entra Identity Protection with user risk policy.
D.Microsoft 365 Defender's Attack simulation training.
AnswerD

Attack simulation training allows testing user susceptibility to phishing.

Why this answer

Option D is correct because 'Attack simulation training' in Microsoft 365 Defender allows you to simulate phishing attacks and identify users who are vulnerable. Option A is wrong because 'Conditional Access policies' are for enforcing MFA, not detecting phishing. Option B is wrong because 'Identity Protection' detects risky sign-ins but does not simulate attacks.

Option C is wrong because 'Microsoft Defender for Office 365' includes anti-phishing but not simulation.

31
MCQhard

Your company, Contoso Ltd., has a hybrid environment with 500 on-premises Windows servers and 200 Azure VMs. The Azure VMs are spread across multiple subscriptions. You need to implement a centralized security monitoring solution using Microsoft Sentinel. The requirements are: - Collect security events from all on-premises servers. - Collect Azure activity logs and VM logs from all Azure subscriptions. - Detect and respond to threats using built-in and custom analytics. - Automatically remediate common threats such as disabling compromised user accounts. - Ensure compliance with regulatory standards (e.g., NIST 800-53). - Minimize administrative overhead and cost. What should you do?

A.Install Microsoft Monitoring Agent on on-premises servers and connect to a Log Analytics workspace. Enable Sentinel. Use Azure Automation runbooks for remediation.
B.Enable Microsoft Defender for Cloud on all subscriptions and install Defender for Endpoint on all servers. Forward logs to a third-party SIEM.
C.Create a Log Analytics workspace and enable Sentinel on the Free tier. Use KQL queries for detection and manual remediation.
D.Deploy Azure Arc on all on-premises servers. Use Azure Monitor Agent with Data Collection Rules to collect security events. Enable Microsoft Sentinel on a Log Analytics workspace. Configure analytics rules and automation rules with playbooks for remediation.
AnswerD

Azure Arc extends Azure management to on-premises; Azure Monitor Agent is the current standard; Sentinel provides analytics and automation.

Why this answer

Option A is correct because it meets all requirements: deploy Azure Arc agent for on-premises servers to enable Azure Monitor Agent, use DCRs to collect logs, enable Sentinel analytics, and use automation rules with playbooks for remediation. Option B is wrong because legacy MMA is deprecated and doesn't support DCRs; also, Azure Automation runbooks are more complex than playbooks. Option C is wrong because enabling Defender for Cloud on all subscriptions is expensive and doesn't provide the same analytics as Sentinel.

Option D is wrong because the Sentinel Free tier has limited features and no automation.

32
MCQmedium

You are a security engineer for a large enterprise using Microsoft Sentinel. You have multiple workspaces deployed across different Azure regions to meet data residency requirements. You need to query data across all workspaces from a single query. You have set up a workspace as the 'central' workspace for cross-workspace queries. The central workspace has the necessary permissions to access the other workspaces. Which KQL operator should you use to include data from other workspaces in your query?

A.where
B.union
C.join
D.project
AnswerB

The union operator allows you to combine tables from multiple workspaces using workspace('...').

Why this answer

The 'union' operator can be used with a workspace expression to combine data from multiple workspaces. Option A is correct. Option B is for joining tables.

Option C is for filtering. Option D is for creating subsets.

33
MCQeasy

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory. Which two data connectors are necessary to collect sign-in logs and audit logs?

A.Azure Activity and Azure Active Directory Audit logs
B.Office 365 and Azure Active Directory Sign-in logs
C.Azure Active Directory Sign-in logs and Azure Active Directory Audit logs
D.Security Events and Azure Active Directory Sign-in logs
AnswerC

These two connectors cover the required log types.

Why this answer

Option A is correct because Azure Active Directory logs require two connectors: one for Sign-in logs and one for Audit logs. Option B is wrong because the Office 365 connector does not include Azure AD logs. Option C is wrong because the Azure Activity connector is for Azure subscription management logs.

Option D is wrong because the Security Events connector is for VMs.

34
MCQhard

A security operations team uses Microsoft Sentinel to monitor sign-in logs. They receive frequent false positive alerts for 'Anonymous IP address sign-in' from a specific external IP range used by a trusted partner. The analysts want to suppress these alerts without reducing detection coverage. What is the most efficient approach?

A.Add the trusted IP range to a watchlist and reference it in the analytics rule query
B.Use an automation rule to close the incidents automatically
C.Create an alert suppression rule for the specific IP range in the analytics rule
D.Disable the analytics rule that generates the alert
AnswerC

Alert suppression rules allow filtering out specific entities (e.g., IPs) from triggering alerts while retaining detection.

Why this answer

Option C is correct because creating an alert suppression rule in Microsoft Sentinel allows analysts to suppress alerts from specific IP ranges without modifying the underlying analytics rule. Option A is wrong because disabling the analytics rule removes detection entirely. Option B is wrong because watchlists are used for correlation, not suppression.

Option D is wrong because automation rules can run actions but not suppress alerts directly; suppression is a built-in feature of analytics rules.

35
MCQmedium

A company has enabled Microsoft Defender for Cloud on all subscriptions. The security team wants to ensure that all virtual machines have vulnerability assessment solutions installed. What should they configure?

A.Enable Azure Update Management for all VMs
B.Enable the Vulnerability Assessment solution in Defender for Cloud and set it to 'On'
C.Create an Azure Policy to audit VMs without vulnerability assessment
D.Use Azure Automation to run a script that installs a vulnerability scanner
AnswerB

Defender for Cloud can auto-provision vulnerability assessment on supported VMs.

Why this answer

Option C is correct because Defender for Cloud's Vulnerability Assessment solution can be enforced via policy to auto-install on VMs. Option A is wrong because Azure Policy can enforce compliance but not automatically install. Option B is wrong because Azure Update Management is for OS updates, not vulnerability assessment.

Option D is wrong because Azure Automation can run scripts but is not the recommended Defender solution.

36
MCQeasy

You need to ensure that all Azure storage accounts in your subscription are encrypted at rest using customer-managed keys (CMK). Which Azure Policy initiative should you assign to audit compliance?

A.NIST SP 800-53 Rev. 5
B.Azure Security Benchmark
C.ISO 27001:2013
D.CIS Microsoft Azure Foundations Benchmark
AnswerB

Azure Security Benchmark includes policy to audit storage accounts using CMK.

Why this answer

Option A is correct because Azure Security Benchmark includes a policy to audit storage accounts for CMK encryption. Option B is wrong because ISO 27001 doesn't specifically cover CMK. Option C is wrong because NIST SP 800-53 doesn't have a direct CMK audit policy.

Option D is wrong because CIS Microsoft Azure Foundations Benchmark has a different scope.

37
MCQhard

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). You need to investigate a possible insider threat where a user is accessing sensitive data from unusual locations. Which Sentinel feature should you use to visualize the user's activities and related entities?

A.Hunting queries
B.UEBA investigation insights and entity pages
C.Analytics rules
D.Workbooks
AnswerB

Correct: UEBA provides entity pages with timelines and related entities.

Why this answer

Option D is correct because UEBA provides investigation insights and entity pages that show user activities and related entities. Option A is wrong because Workbooks are for custom dashboards. Option B is wrong because Hunting queries are for proactive searches.

Option C is wrong because Analytics rules are for alert creation.

38
MCQmedium

Your security team wants to use Microsoft Sentinel to investigate a compromised user account. They need to see the user's recent sign-in activity, Azure AD audit logs, and related alerts in a single dashboard. What feature in Sentinel should they use?

A.Create a workbook that queries sign-in logs and audit logs.
B.Navigate to the user's entity page in Sentinel.
C.Use the Investigation graph to visually explore the user's activities.
D.Create an analytics rule to detect user anomalies.
AnswerC

Investigation graph provides a visual map of entities and related events.

Why this answer

Sentinel's investigation graph allows pivoting from a user entity to see related alerts, events, and activities. Option A is wrong because workbooks are custom dashboards, not entity-specific. Option B is wrong because analytics rules are for detection.

Option D is wrong because the entity page is a static view, not a graph.

39
MCQeasy

A security analyst receives a high-severity alert in Microsoft Sentinel indicating a potential brute-force attack against an Azure VM. The analyst wants to automatically block the attacker IP for 24 hours. What is the most efficient way to achieve this?

A.Create an automation rule in Sentinel that runs a playbook to add a deny NSG rule.
B.Enable Just-in-Time VM access to restrict all RDP traffic.
C.Create an Azure Policy to deny all traffic from the attacker IP.
D.Manually add a deny rule to the NSG attached to the VM's subnet.
AnswerA

Correct: automated response via playbook.

Why this answer

Option D is correct because Sentinel automation rules can trigger a playbook that runs a script to add a network security group (NSG) rule to deny the IP. Option A (manual NSG rule) is not automatic. Option B (Azure Policy) is not designed for real-time blocking.

Option C (JIT access) controls access, not blocking specific IPs.

40
Multi-Selectmedium

Which TWO are benefits of using Microsoft Sentinel's automation rules? (Choose two.)

Select 2 answers
A.Aggregate multiple incidents into a single incident.
B.Create new analytics rules based on incident patterns.
C.Automatically query external threat intelligence feeds.
D.Trigger a playbook when an incident is created or updated.
E.Automatically assign incidents to a specific analyst or team.
AnswersD, E

Correct: Automation rules can trigger playbooks.

Why this answer

Option A and D are correct. Automation rules can automatically assign incidents to analysts (A) and trigger playbooks based on conditions (D). Option B is wrong because automation rules do not create analytics rules.

Option C is wrong because automation rules do not aggregate incidents; they can suppress or create tasks. Option E is wrong because automation rules do not query external threat intelligence feeds.

41
MCQhard

You are a security analyst using Microsoft Sentinel. You need to create an analytics rule that triggers an incident when more than 10 failed sign-ins occur from the same IP address within 5 minutes. The rule should use a KQL query. Which query should you use?

A.SigninLogs | where ResultType !in ("0","50125") // failed attempts | summarize Count = count() by IPAddress, bin(TimeGenerated, 5m) | where Count > 10
B.SigninLogs | where ResultType != "0" | make-series Count=count() default=0 on TimeGenerated from ago(5m) to now() step 5m by IPAddress
C.SigninLogs | where ResultType == "0" | summarize Count = count() by IPAddress, bin(TimeGenerated, 5m) | where Count > 10
D.SigninLogs | where ResultType == "0" | summarize Count = count() by IPAddress, bin(time-generated, 5m) | where Count > 10
AnswerA

This query correctly groups failed sign-ins by IP and 5-minute bin, and filters for >10.

Why this answer

Option A is correct because it groups failed sign-ins by IP address, counts them within a 5-minute time window, and filters for counts greater than 10. Option B is wrong because it uses time-generated, which is not a standard column; the correct column is TimeGenerated. Option C is wrong because it incorrectly uses 'make-series' which is for time series analysis, not simple aggregation.

Option D is wrong because it filters only successful sign-ins.

42
MCQmedium

Your organization is deploying Microsoft Sentinel in a multi-region environment. You need to design a workspace architecture that minimizes data egress costs while ensuring that data from all regions is available for queries and incident investigation. The security team is centralized in the US. What should you do?

A.Deploy Sentinel workspaces in the US and Europe and use Azure Lighthouse to unify querying.
B.Deploy a Sentinel workspace in each region and use Azure Data Explorer for centralized analytics.
C.Deploy a Sentinel workspace in each region and use cross-workspace queries.
D.Deploy a single Sentinel workspace in the US and stream logs from all regions to that workspace.
AnswerD

A single workspace minimizes egress costs and simplifies management.

Why this answer

Option B is correct because using a single workspace in the US centralizes data and minimizes costs, as data from other regions can be collected via diagnostic settings without egress fees for Azure-to-Azure traffic within the same continent. Option A is wrong because multiple workspaces increase egress costs and complexity. Option C is wrong because it does not reduce egress costs.

Option D is wrong because using multiple workspaces with cross-workspace queries increases egress costs.

43
MCQhard

You are configuring Microsoft Defender for Cloud's 'Workload protections' for a Kubernetes cluster that is already using Azure Kubernetes Service (AKS). The cluster has 'Azure Policy' enabled. You need to enable the 'Microsoft Defender for Containers' plan to protect the cluster. You have already enabled the plan at the subscription level. However, the cluster is not showing as protected in the 'Inventory' blade. You have confirmed that the 'Azure Policy for Kubernetes' add-on is installed. What should you do to ensure the cluster is protected?

A.Install the 'Defender profile' on the AKS cluster.
B.Enable the 'Azure Policy for Kubernetes' add-on on the cluster.
C.Wait for 24 hours for the protection to automatically apply.
D.Install the Log Analytics agent on the cluster nodes.
AnswerA

The Defender profile is required to enable protection on the AKS cluster.

Why this answer

Even with the subscription-level plan enabled, you need to install the 'Defender profile' on the AKS cluster. Option D is correct. Option A is incorrect because the cluster is not protected yet.

Option B is incorrect because enabling Azure Policy for Kubernetes is a separate step. Option C is incorrect because the agents are deployed via the Defender profile.

44
MCQmedium

You are a security engineer for a company that uses Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are assessed against the Microsoft Cloud Security Benchmark (MCSB). Which action should you take?

A.Assign the CIS Microsoft Azure Foundations Benchmark initiative to each subscription.
B.Assign the MCSB initiative at the management group level.
C.No action needed; MCSB is the default security policy assigned to all subscriptions.
D.Enable regulatory compliance standards in Defender for Cloud.
AnswerC

MCSB is automatically assigned as the default initiative in Defender for Cloud.

Why this answer

Option D is correct because the default initiative assigned to all subscriptions in Defender for Cloud is the Microsoft Cloud Security Benchmark (MCSB). Option A is wrong because the CIS benchmark is a different standard and not the default. Option B is wrong because standards are assigned at the subscription level, not management group.

Option C is wrong because regulatory compliance is a separate feature and does not replace the default benchmark.

45
MCQmedium

Your company has a hybrid environment with on-premises servers and Azure VMs. All resources are onboarded to Microsoft Defender for Cloud. You need to receive alerts when a critical vulnerability is detected on any server. The security team wants to minimize false positives. What should you configure?

A.Enable vulnerability assessment for servers via the integrated VA solution.
B.Configure just-in-time VM access to reduce attack surface.
C.Enable adaptive application controls to detect unapproved software.
D.Enable file integrity monitoring on critical files.
AnswerA

Correct. Vulnerability assessment scans for vulnerabilities and generates security alerts.

Why this answer

Option B is correct because vulnerability assessment (VA) solutions, like the integrated Qualys or Microsoft Defender Vulnerability Management, scan for known vulnerabilities and generate alerts. Option A is wrong because adaptive application controls are for whitelisting applications, not vulnerability detection. Option C is wrong because just-in-time (JIT) VM access is for managing RDP/SSH access.

Option D is wrong because file integrity monitoring (FIM) monitors file changes, not vulnerabilities.

46
Multi-Selecthard

Your company is implementing Microsoft Defender for Cloud's Security Alerts. You need to ensure that alerts for critical severity are automatically sent to the security operations team via email and also create a ticket in ServiceNow. Which three actions should you take? (Choose three.)

Select 3 answers
A.Create a playbook in Microsoft Sentinel that triggers on alerts.
B.Install the Log Analytics agent on all VMs to collect security alerts.
C.Create a continuous export rule in Defender for Cloud to send alerts to an Event Hubs namespace.
D.Create a Logic App that listens to the Event Hubs and creates a ticket in ServiceNow.
E.Configure email notifications in Microsoft Defender for Cloud's security contacts settings for high-severity alerts.
AnswersC, D, E

Continuous export can stream alerts to Event Hubs.

Why this answer

Options A, C, and E are correct. Option A is correct because email notifications for critical alerts can be configured in Defender for Cloud. Option C is correct because a continuous export rule can send alerts to Event Hubs, which can trigger a Logic App.

Option E is correct because a Logic App can integrate with ServiceNow. Option B is wrong because the Log Analytics agent is not needed for alerts. Option D is wrong because a playbook in Sentinel is not required; the integration can be done via Logic Apps directly.

47
MCQmedium

An organization uses Microsoft Defender for Cloud to protect Azure SQL databases. They want to receive alerts when a SQL database is accessed from a suspicious location. What should they enable?

A.Enable Microsoft Defender for Cloud for Azure SQL databases
B.Enable Azure Firewall on the SQL server
C.Enable Azure SQL Database Advanced Threat Protection
D.Enable Azure SQL Database Auditing
AnswerA

Defender for Cloud provides threat detection alerts for SQL databases.

Why this answer

Option D is correct because Microsoft Defender for Cloud for Azure SQL databases includes threat detection that alerts on anomalous access patterns, including suspicious locations. Option A is wrong because Advanced Threat Protection is the feature name, but it is enabled under Microsoft Defender for Cloud. Option B is wrong because Azure SQL Database auditing logs activity but does not generate alerts.

Option C is wrong because Azure Firewall logs network traffic but does not generate SQL-specific alerts.

48
MCQhard

You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that data from different geographic regions be stored separately to comply with data residency laws. What is the recommended approach?

A.Deploy a single Sentinel workspace and use Azure Purview to tag data for residency.
B.Deploy a single Sentinel workspace and configure diagnostic settings to send data to separate Log Analytics workspaces.
C.Deploy a single Sentinel workspace and use data collection rules to route data to different storage accounts.
D.Deploy a separate Microsoft Sentinel workspace in each required region.
AnswerD

Each workspace stores data in its region; this meets residency requirements.

Why this answer

Option A is correct because to comply with data residency, you need separate Sentinel workspaces per region. Option B is wrong because Sentinel does not support data-level routing to different storage locations within a single workspace. Option C is wrong because using a single workspace with diagnostic settings does not separate storage.

Option D is wrong because Azure Purview is for data governance, not storage.

49
Multi-Selectmedium

Your organization is using Microsoft Sentinel to centralize security data from multiple sources. You need to ensure that data from Azure Active Directory (now Microsoft Entra ID) logs is ingested. Which two of the following should you configure? (Choose two.)

Select 2 answers
A.Enable the Microsoft 365 Defender data connector in Sentinel.
B.Configure diagnostic settings in Microsoft Entra ID to stream audit and sign-in logs to a Log Analytics workspace.
C.Create a separate Log Analytics workspace for Microsoft Entra ID logs.
D.Enable the Microsoft Entra ID data connector in Sentinel.
E.Install the Log Analytics agent on domain controllers.
AnswersB, D

Diagnostic settings send logs to the workspace.

Why this answer

Option A and Option D are correct because Microsoft Entra ID logs are ingested via diagnostic settings, and the data connector in Sentinel is used to establish the connection. Option B is wrong because a Log Analytics workspace is required, not a separate one. Option C is wrong because the Log Analytics agent is for VMs, not for Entra ID logs.

Option E is wrong because there is a specific connector for Entra ID.

50
MCQhard

A security engineer configures a Microsoft Sentinel analytics rule to detect anomalous sign-ins from unfamiliar locations. The rule uses the following KQL query: SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelDuringSignIn == 'high' | summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h). After enabling the rule, no alerts are generated even though the team expects many. What is the most likely cause?

A.The query groups by IP address and user, so true anomalies (new IPs) are not detected because they appear in separate groups.
B.The analytics rule is disabled due to a pricing tier downgrade.
C.The rule's trigger threshold is set too high (e.g., 100 events).
D.The SigninLogs data connector is not properly configured and is ingesting data with a 24-hour delay.
AnswerA

The query groups by IP, so each IP appears once; the rule doesn't compare against historical IPs.

Why this answer

Option B is correct because the query groups by UserPrincipalName, IPAddress, and hour; if the same user signs in from the same IP within the same hour, it's not anomalous. Option A is wrong because the rule is enabled. Option C is wrong because no aggregation threshold is set.

Option D is wrong because the data connector might be slow but would still generate some alerts.

51
MCQhard

Refer to the exhibit. You are reviewing a custom Azure Policy definition that will be assigned to a subscription to audit storage accounts and Cosmos DB accounts. The policy is intended to check whether these resources use customer-managed keys (CMK) for encryption. However, when you test the policy assignment, it does not evaluate Cosmos DB accounts. What is the most likely reason?

A.The policy rule only includes 'Microsoft.Storage/storageAccounts' in the if condition; Cosmos DB is not evaluated because the policy definition is incomplete.
B.The policy mode is set to 'All', which excludes Cosmos DB resources.
C.The existence condition in 'auditIfNotExists' only checks for storage account encryption; it does not evaluate Cosmos DB encryption properties.
D.Cosmos DB does not support customer-managed keys; the policy cannot be applied to that resource type.
AnswerC

The existence condition is tied to the storage account encryption type; for Cosmos DB, the property path differs.

Why this answer

Option C is correct because the existence condition only references the storage account encryption type; it does not include a condition for Cosmos DB. Option A is wrong because Cosmos DB does support CMK. Option B is wrong because the policy mode 'All' evaluates resource types not explicitly excluded.

Option D is wrong because the policy already includes both resource types in the if condition.

52
MCQmedium

Refer to the exhibit. You assign this Azure Policy definition to a subscription containing a storage account that uses Microsoft-managed keys. What is the compliance state of the storage account?

A.Non-compliant
B.Compliant
C.Not evaluated because the policy is not assigned
D.Error: Policy effect 'audit' not supported
AnswerA

The policy requires keySource = Microsoft.Keyvault; the account has keySource = Microsoft.Storage.

Why this answer

Option B is correct because the policy audits storage accounts that do not have keySource = Microsoft.Keyvault. Since the storage account uses Microsoft-managed keys (keySource = Microsoft.Storage), it is non-compliant. Option A is wrong because it is non-compliant.

Option C is wrong because the policy is an audit effect, not deny. Option D is wrong because the policy is assigned and evaluated.

53
MCQhard

A security team uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. They notice that some controls are marked as 'N/A' even though they have relevant resources. What is the most likely reason?

A.The resources do not have the required custom assessment.
B.The compliance dashboard requires a Microsoft Purview Compliance Manager license.
C.The resources are in a subscription that is not included in the scope of the compliance standard.
D.The resources have not been manually claimed as compliant.
AnswerC

Scope determines which resources are assessed.

Why this answer

Option A is correct because the regulatory compliance dashboard by default only assesses resources that are in scope for the selected standard. If a subscription or resource group is not included in the scope, controls will show as 'N/A'. Option B is wrong because the dashboard only assesses resources, not manual claims.

Option C is wrong because the dashboard uses built-in assessments; it does not require custom assessments. Option D is wrong because the dashboard is available even without a compliance manager license.

54
Multi-Selectmedium

Your company uses Microsoft Defender for Cloud to protect Azure resources. You want to enable the 'Defender for Containers' plan to secure AKS clusters. Which two configurations are necessary? (Choose two.)

Select 2 answers
A.Assign the 'Kubernetes cluster should be accessible only through private endpoint' Azure Policy.
B.Connect the AKS cluster to Azure Arc.
C.Enable the 'Defender for Containers' plan in Microsoft Defender for Cloud.
D.Install the Log Analytics agent on each AKS node.
E.Ensure the AKS cluster's audit logs are enabled and streamed to a Log Analytics workspace.
AnswersC, E

The plan must be enabled for the subscription.

Why this answer

Options A and D are correct. Option A is correct because the Defender for Containers plan must be enabled at the subscription level. Option D is correct because the Kubernetes audit logs must be enabled and sent to a Log Analytics workspace.

Option B is wrong because Azure Policy is not required for the plan. Option C is wrong because the plan does not require a specific agent; it uses audit logs. Option E is wrong because Azure Arc is for non-Azure clusters.

55
MCQmedium

Your organization uses Microsoft Defender for Cloud's workload protection for Azure SQL databases. You notice that Defender for Cloud is not generating alerts for anomalous activities on a specific SQL database. The database is in a VNet with a service endpoint enabled for SQL. What should you verify first?

A.Ensure the service endpoint is configured correctly.
B.Enable Advanced Threat Protection on the Azure SQL Server.
C.Enable auditing on the SQL database.
D.Configure a firewall rule to allow Defender for Cloud IP addresses.
AnswerB

Correct: ATP must be enabled for alerts.

Why this answer

Option A is correct because the Advanced Threat Protection (ATP) must be enabled at the server level for Defender for Cloud to monitor it. Option B (auditing) is not required for ATP. Option C (service endpoint) does not block ATP.

Option D (firewall rules) irrelevant.

56
MCQeasy

Your company has deployed Microsoft Defender for Cloud in all subscriptions. You need to ensure that all Azure SQL databases are protected by Advanced Threat Protection (ATP). You want to enable ATP at the subscription level so that new databases are automatically protected. The security policy must be enforced to prevent administrators from disabling ATP on individual databases. What should you do?

A.Create an Azure Policy assignment using the built-in policy 'Advanced Threat Protection should be enabled on your SQL servers' with a 'Deny' effect.
B.Create a custom Azure Policy with a 'Deny' effect that prevents setting the Advanced Threat Protection setting to 'Disabled' on SQL databases.
C.Enable the 'Azure SQL databases' plan in Defender for Cloud at the subscription level.
D.Create an Azure Policy assignment that audits if Advanced Threat Protection is enabled on SQL databases, and remediate non-compliant resources.
AnswerB

A custom policy with Deny effect will block any attempt to disable ATP, enforcing the protection.

Why this answer

Option B is correct because it uses a custom Azure Policy with a 'Deny' effect to enforce that Advanced Threat Protection (ATP) cannot be disabled on any SQL database, including new ones. This approach ensures that the security policy is enforced at the subscription level, preventing administrators from turning off ATP on individual databases, which aligns with the requirement for automatic protection and enforcement.

Exam trap

The trap here is that candidates often confuse enabling a Defender for Cloud plan (which only activates threat detection) with enforcing a security configuration via Azure Policy, failing to realize that only a 'Deny' effect can prevent administrators from disabling ATP on individual databases.

How to eliminate wrong answers

Option A is wrong because the built-in policy 'Advanced Threat Protection should be enabled on your SQL servers' typically uses an 'AuditIfNotExists' or 'DeployIfNotExists' effect, not a 'Deny' effect, and it audits or deploys the setting rather than preventing its disablement. Option C is wrong because enabling the 'Azure SQL databases' plan in Defender for Cloud at the subscription level only activates the Defender for Cloud pricing tier and threat detection alerts, but it does not enforce ATP configuration on individual databases or prevent administrators from disabling it. Option D is wrong because auditing and remediating non-compliant resources only identifies and fixes non-compliance after the fact, but does not enforce the policy to prevent administrators from disabling ATP on individual databases.

57
MCQmedium

A company uses Microsoft Defender for Cloud to secure its hybrid environment. The security team notices that many alerts are low severity and causing alert fatigue. They want to reduce noise without missing critical threats. What should they configure?

A.Manually dismiss each low-severity alert
B.Disable low-severity alerts in Microsoft Defender for Cloud
C.Configure security policies with severity-based suppression rules
D.Enable Microsoft Entra Permissions Management
AnswerC

Severity-based suppression rules reduce noise while maintaining visibility on critical alerts.

Why this answer

Option C is correct because security policies with severity-based suppression rules allow filtering out low-severity alerts while keeping high-severity ones. Option A is wrong because disabling all low-severity alerts would miss potentially important indicators. Option B is wrong because manual suppression is not scalable.

Option D is wrong because Microsoft Entra Permissions Management is for identity permissions, not alert suppression.

58
MCQeasy

Your company has multiple Azure subscriptions and wants to use Microsoft Sentinel as a SIEM. You need to collect security events from all Azure VMs, including existing and future ones. What should you use?

A.Use the Azure portal to enable 'Security Center' on each VM.
B.Use Azure Automation Desired State Configuration (DSC) to push the agent.
C.Manually install the Log Analytics agent on each VM.
D.Create an Azure Policy assignment to deploy the Log Analytics agent.
AnswerD

Azure Policy can automatically deploy the agent to all VMs in scope.

Why this answer

Azure Policy with DeployIfNotExists effect can automatically deploy the Log Analytics agent to all VMs in a subscription. Option A is wrong because manual installation is not scalable. Option C is wrong because Azure Automation DSC is for configuration management, not agent deployment.

Option D is wrong because the Azure portal VM blade is manual.

59
MCQmedium

A company uses Microsoft Sentinel as its SIEM. The security team wants to automatically respond to phishing emails detected by Microsoft Defender XDR. They want to create a playbook that, when triggered, will delete the email from all recipients' mailboxes. Which integration should the playbook use?

A.Microsoft Graph API
B.Microsoft Power Automate
C.Exchange Online PowerShell
D.Microsoft 365 Defender API
AnswerA

Graph API can perform actions like deleting emails from mailboxes.

Why this answer

Option C is correct because Microsoft Graph API allows actions like deleting emails from mailboxes, and Sentinel playbooks can call Graph API. Option A is wrong because Microsoft 365 Defender API is for threat data, not mailbox actions. Option B is wrong because Exchange Online PowerShell is not directly callable from Sentinel playbooks.

Option D is wrong because Microsoft Power Automate is the platform, not the integration.

60
MCQhard

You have configured Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You notice that sign-in logs for external guest users are not appearing in Sentinel. What is the most likely cause?

A.The diagnostic settings in Microsoft Entra ID are not configured to stream sign-in logs to the Log Analytics workspace used by Sentinel.
B.Microsoft Sentinel does not support ingestion of external guest user sign-in logs.
C.The Microsoft Sentinel Entra ID connector requires a separate connector for guest users.
D.Guest user sign-ins are not logged in Microsoft Entra ID.
AnswerA

To ingest sign-in logs, you must configure diagnostic settings in Entra ID to send logs to the workspace.

Why this answer

Sentinel ingestion of Entra ID logs requires diagnostic settings to be configured on the Entra ID tenant. By default, diagnostic settings are not enabled for external guest user sign-ins. Option C is correct.

Option A is not a requirement. Option B is incorrect because guest user sign-ins are logged but need diagnostic settings. Option D is incorrect because the connector does not filter by user type.

61
Multi-Selecteasy

Which TWO Microsoft Defender for Cloud plans specifically provide threat detection for Azure Storage?

Select 2 answers
A.Defender for Storage
B.Defender for Servers
C.Defender for SQL
D.Defender for App Service
E.Defender for Storage (classic)
AnswersA, E

Correct: new plan for storage.

Why this answer

Option B is correct: Defender for Storage. Option D is correct: Defender for Storage (classic). Option A (Defender for Servers) is for VMs; Option C (Defender for SQL) is for databases; Option E (Defender for App Service) is for web apps.

62
Multi-Selectmedium

You need to ensure that Microsoft Sentinel can detect threats across your Azure environment, including virtual machines, network traffic, and user activities. Which TWO data sources should you connect?

Select 2 answers
A.Windows Security Events via AMA
B.Azure DNS
C.Office 365
D.Azure Firewall
E.Azure Activity
AnswersA, E

Provides OS-level events from VMs.

Why this answer

Option A and Option B are correct because Azure Activity logs provide management plane activities, and Windows Security Events provide OS-level events from VMs. Option C is wrong because Azure DNS logs are not a standard Sentinel connector. Option D is wrong because Azure Firewall logs are for specific firewall traffic, not broad network traffic.

Option E is wrong because Office 365 logs are for Microsoft 365, not Azure VMs.

63
Multi-Selectmedium

Your organization uses Microsoft Sentinel to monitor security events. You need to configure automated response actions for incidents. Which TWO of the following can be used to trigger automated responses in Microsoft Sentinel?

Select 2 answers
A.Workbooks
B.Watchlists
C.Hunting queries
D.Automation rules
E.Playbooks (Azure Logic Apps)
AnswersD, E

Automation rules allow you to centrally manage automated responses for incidents.

Why this answer

Option A (Playbooks) are automated workflows that can be triggered from analytics rules. Option B (Automation rules) centrally manage automated responses. Option C (Workbooks) are visualizations, not automated responses.

Option D (Watchlists) are data sources. Option E (Hunting queries) are proactive searches, not automated responses.

64
MCQhard

Refer to the exhibit. You assign this policy to a subscription that already has a security contact configured with email 'admin@contoso.com'. What will be the outcome?

A.The policy will not modify the existing security contact because it already exists.
B.The policy will fail because the security contact already exists.
C.The subscription will become non-compliant because the email does not match.
D.The policy will overwrite the existing security contact with the one in the policy.
AnswerA

The existence condition checks for a contact with non-empty email; since one exists, no deployment occurs.

Why this answer

Option A is correct because the policy only deploys if no security contact exists with a non-empty email. Since a contact exists, the policy will not modify it. Option B is wrong because the policy uses deployIfNotExists with existence check.

Option C is wrong because the policy won't fail. Option D is wrong because the policy is not evaluated as non-compliant.

65
Multi-Selecthard

A company uses Microsoft Defender for Cloud's workload protection for Azure Storage. They want to receive alerts when there is suspicious access to blob storage. Which TWO features should they enable?

Select 2 answers
A.Azure Storage Firewall
B.Azure Defender for Storage
C.Azure Storage Encryption
D.Microsoft Defender for Cloud for Storage
E.Diagnostic settings to send storage logs to a Log Analytics workspace
AnswersD, E

Provides threat detection alerts for storage.

Why this answer

Option B and Option C are correct because Microsoft Defender for Cloud for Storage includes threat detection that alerts on suspicious access patterns, and enabling logging to the Log Analytics workspace provides detailed data for analysis. Option A is wrong because Azure Storage Firewall restricts access but does not generate alerts. Option D is wrong because Azure Storage Encryption protects data at rest, not access monitoring.

Option E is wrong because Azure Defender is the old name; the correct name is Microsoft Defender for Cloud.

66
MCQhard

You are a security engineer for a multinational company with 5000 Azure VMs across multiple subscriptions. You have deployed Microsoft Sentinel to ingest logs from all VMs via the Log Analytics agent. You need to create a detection rule that identifies potential cryptocurrency mining activity based on network traffic patterns. The rule should trigger an incident when any single VM communicates with a known mining pool IP address over port 3333, 4444, or 8333 within a 5-minute window. Additionally, to reduce noise, the rule should only trigger if the same VM sends more than 10 such connections in that window. You have a custom KQL function that extends the CommonSecurityLog table with an 'IsMiningPool' boolean column. Which of the following approaches should you use to create the rule?

A.Use a scheduled query rule with the query: CommonSecurityLog | where DestinationPort in (3333,4444,8333) | summarize ConnectionCount = count() by SourceIP | where ConnectionCount > 10.
B.Use a scheduled query rule with the query: CommonSecurityLog | where IsMiningPool == true | summarize UniqueDestIPs = dcount(DestinationIP) by SourceIP | where UniqueDestIPs > 10.
C.Use a scheduled query rule with the query: CommonSecurityLog | where IsMiningPool == true | summarize ConnectionCount = count() by SourceIP, DestinationPort | where ConnectionCount > 10.
D.Use an NRT query rule with the query: CommonSecurityLog | where IsMiningPool == true | where count() > 10.
AnswerC

Correctly filters, aggregates by source IP, and uses threshold.

Why this answer

Option A is correct because it uses the custom function to filter, sums connections per VM, and uses threshold of 10. Option B is wrong because it uses a simple threshold without aggregation. Option C is wrong because it looks for 10 different IPs, not connections.

Option D is wrong because it doesn't use the custom function and instead uses a list, which is less maintainable.

67
MCQhard

A company uses Microsoft Defender for Cloud to assess the security posture of its Azure resources. The security team notices that the secure score is lower than expected because many recommendations are marked as 'Unhealthy' for resources that are not yet deployed (planned resources). How should you ensure that the secure score accurately reflects only deployed resources?

A.Create custom Azure Policy initiatives that exclude non-deployed resources.
B.Disable the recommendations for resources that are not yet deployed.
C.Assign Azure Policy to audit only deployed resources and create exemptions for planned resources.
D.Ensure that only resources with a specific tag are assessed.
AnswerC

Exemptions allow you to exclude specific resources from compliance evaluation, improving secure score accuracy.

Why this answer

Option D is correct because assigning Azure Policy at the management group scope with a 'DeployIfNotExists' or 'AuditIfNotExists' effect can enforce governance on deployed resources only, and using exemptions for non-deployed resources. Option A is wrong because disabling recommendations affects all resources. Option B is wrong because the secure score automatically considers only assessed resources, but the issue might be with planned resources being assessed incorrectly.

Option C is wrong because creating custom initiatives does not filter out non-deployed resources automatically.

68
MCQeasy

Your organization uses Microsoft Defender for Cloud to assess regulatory compliance. You need to ensure that the compliance dashboard reflects the latest standards and that custom assessments are included. What should you do?

A.Configure Microsoft Purview compliance portal to include Azure subscriptions.
B.Use Azure Policy to apply custom definitions and assign to management groups.
C.Create an Azure Blueprint with custom policies.
D.Add a custom regulatory compliance standard in Defender for Cloud.
AnswerD

Correct. You can add custom standards and initiatives to the compliance dashboard.

Why this answer

Option C is correct because the regulatory compliance dashboard in Defender for Cloud allows you to add custom initiatives and standards, including custom assessments. Option A is wrong because Azure Blueprints are deprecated and not the correct tool. Option B is wrong because Azure Policy alone does not integrate with the compliance dashboard.

Option D is wrong because Microsoft Purview compliance portal is for data governance, not cloud security compliance assessment.

69
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy initiative definition in Microsoft Defender for Cloud. The initiative includes a policy definition with reference ID 'CIS-1.1'. The policy definition ID is '/providers/Microsoft.Authorization/policyDefinitions/abc123'. You need to verify that the policy definition exists and is correctly assigned. Which Azure CLI command should you run?

A.az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/abc123']"
B.az policy set-definition show --name "CIS Benchmark v1.1.0"
C.az policy definition list --query "[?id=='/providers/Microsoft.Authorization/policyDefinitions/abc123']"
D.az policy definition show --id /providers/Microsoft.Authorization/policyDefinitions/abc123
AnswerD

Shows the details of the specified policy definition.

Why this answer

Option A is correct because 'az policy definition show' retrieves details of a policy definition by ID. Option B is wrong because 'az policy assignment list' lists assignments, not definitions. Option C is wrong because 'az policy set-definition show' shows initiative definitions, not individual definitions.

Option D is wrong because 'az policy definition list' lists all definitions, not a specific one.

70
MCQhard

A security analyst reports that Microsoft Sentinel is not receiving Windows Security Events from Azure VMs that have the Log Analytics agent installed. The agent shows as connected, and other data sources (e.g., performance counters) are flowing. What is the most likely cause?

A.The Microsoft Sentinel solution is not installed on the VM.
B.The Azure VM has a network security group blocking port 443.
C.The Log Analytics workspace key is incorrect.
D.The Windows Security Events connector is not configured to collect the required event IDs.
AnswerD

Correct. The connector must be configured to collect specific event IDs; otherwise, security events are not sent.

Why this answer

Option D is correct because the Windows Security Events connector in Sentinel requires specific event IDs to be collected; if the data collection rule or agent configuration does not include the required event IDs, the events won't be sent. Option A is wrong because the Log Analytics workspace key or certificate issue would affect all data, not just security events. Option B is wrong because if the agent is connected, network connectivity is fine.

Option C is wrong because the Microsoft Sentinel solution is installed at the workspace level, not per VM.

71
Multi-Selectmedium

Which TWO of the following are valid ways to integrate Microsoft Sentinel with Microsoft Defender XDR?

Select 2 answers
A.Configure the Microsoft Defender XDR data connector
B.Use Azure Lighthouse to connect Defender XDR to Sentinel
C.Deploy a playbook that polls Defender XDR APIs
D.Enable automatic incident creation in the Microsoft Defender XDR connector
E.Create a custom log analytics workspace query
AnswersA, D

The data connector ingests alerts and incidents.

Why this answer

Options A and C are correct. Option A is correct because the data connector for Microsoft Defender XDR ingests alerts. Option C is correct because enabling automatic incident creation in the connector creates incidents.

Option B is wrong because playbooks are for automation, not integration. Option D is wrong because cross-tenant integration requires Lighthouse. Option E is wrong because custom logs do not integrate automatically.

72
Multi-Selecthard

Which THREE are prerequisites for integrating Microsoft Sentinel with Microsoft Defender XDR? (Choose three.)

Select 3 answers
A.Appropriate permissions (Security Administrator or Global Administrator)
B.The Microsoft 365 Defender data connector must be enabled in Sentinel
C.The Microsoft Monitoring Agent installed on all endpoints
D.A valid license for Microsoft 365 Defender (or individual workloads)
E.An Azure Sentinel workspace in the same region as the Microsoft 365 tenant
AnswersA, B, D

Correct: Required to enable the connector.

Why this answer

Options B, C, and D are correct. You need appropriate permissions (B), a valid license for Microsoft 365 Defender (C), and the data connector must be enabled in Sentinel (D). Option A is wrong because you don't need an Azure Sentinel workspace in a specific region; any region works.

Option E is wrong because you don't need to install agents on endpoints; Defender XDR collects data automatically.

73
MCQeasy

You need to prioritize security recommendations in Microsoft Defender for Cloud. Your compliance team requires a framework that maps to regulatory standards. What should you use?

A.Regulatory compliance standards
B.Azure Policy compliance dashboard
C.Inventory feature
D.Secure score
AnswerA

Regulatory compliance standards directly map recommendations to frameworks.

Why this answer

Option D is correct because regulatory compliance standards in Defender for Cloud map recommendations to specific frameworks. Option A is wrong because secure score is for overall posture. Option B is wrong because Azure Policy is the underlying engine.

Option C is wrong because inventory lists resources.

74
MCQhard

You are configuring Microsoft Sentinel to use a playbook for automated response to incidents. The playbook needs to block the source IP address of a malicious sign-in on the Azure Firewall. Which Microsoft Sentinel feature should the playbook use?

A.Azure Automation runbooks
B.Azure Functions
C.Azure Logic Apps
D.KQL queries
AnswerC

Playbooks are built on Azure Logic Apps.

Why this answer

Option B is correct because Azure Logic Apps is the engine that runs playbooks. Option A is wrong because KQL is a query language, not an automation tool. Option C is wrong because Azure Functions can be used within logic apps but are not the primary playbook runner.

Option D is wrong because Azure Automation runbooks are not directly integrated with Sentinel playbooks.

75
MCQhard

Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with PCI DSS. After assigning the PCI DSS v4.0 initiative, several controls show as 'Not started' even though your resources are compliant. What is the most likely cause?

A.The regulatory compliance dashboard does not support custom initiatives.
B.The PCI DSS initiative has not been assigned to the subscription.
C.The PCI DSS initiative is built-in and cannot be assigned manually.
D.The subscription is on the Free tier of Defender for Cloud.
AnswerB

The initiative must be assigned to the subscription for evaluation.

Why this answer

Option C is correct because the PCI DSS initiative includes policies that must be assigned and evaluated; if not assigned, controls show 'Not started'. Option A is wrong because the dashboard includes custom initiatives. Option B is wrong because pricing tier doesn't affect policy assignment.

Option D is wrong because Azure Policy assigns initiatives, not Defender for Cloud directly.

Page 1 of 3 · 213 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions.