CCNA Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel Questions

75 of 213 questions · Page 2/3 · Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel · Answers revealed

76
MCQhard

Refer to the exhibit. You are assigned a policy that deploys the Log Analytics agent to Linux VMs. After assigning this policy to a subscription, you notice that existing Linux VMs are not getting the agent deployed, but newly created VMs receive the agent. What is the most likely reason?

A.The policy assignment requires a remediation task to be created for existing non-compliant VMs
B.The policy only applies to VMs in specific regions
C.The workspace ID parameter was not specified during assignment
D.The policy requires a managed identity to deploy the extension
AnswerA

DeployIfNotExists effect only deploys on new resources; existing resources need a remediation task.

Why this answer

Option A is correct because the policy uses 'deployIfNotExists' effect, which requires remediation tasks to be triggered on existing resources; the policy assignment does not automatically remediate existing VMs. Option B is wrong because the policy evaluates all VMs regardless of region. Option C is wrong because the policy does not require a managed identity for deployment; the 'deployIfNotExists' effect uses the system-assigned identity.

Option D is wrong because the workspace ID is a required parameter, and if not provided, the assignment would fail.

77
MCQhard

You manage a multi-tenant environment using Azure Lighthouse. You need to use Microsoft Defender for Cloud to monitor security posture across customer tenants. However, you cannot see the regulatory compliance dashboard for customer subscriptions. What is the most likely reason?

A.Azure Lighthouse is not configured for the customer tenants.
B.Defender for Cloud is not enabled on the customer subscriptions.
C.The Log Analytics agent is not deployed.
D.The 'Guest Configuration' extension is not installed on the customer's VMs.
AnswerD

Correct: needed for compliance.

Why this answer

Option B is correct because the regulatory compliance dashboard requires the Azure Policy Guest Configuration extension, which may not be auto-provisioned in delegated subscriptions. Option A (Azure Lighthouse not configured) is possible but less specific. Option C (tier) is not the issue.

Option D (Log Analytics) is not required.

78
MCQmedium

Your organization uses Microsoft Sentinel to monitor for data exfiltration. You have configured a scheduled analytics rule that detects when an external IP address downloads more than 100 MB of data from an Azure Storage account within 5 minutes. The rule triggers, but the incident created has a severity of 'Low', while your team wants it to be 'High' for all such incidents. What should you do?

A.Create a playbook that changes the severity of incidents created by that rule and attach it via an automation rule.
B.Add an entity mapping for the storage account so that the severity is inherited from the entity.
C.Edit the analytics rule and change the 'Severity' setting to 'High' in the 'Incident settings' tab.
D.Create an automation rule that triggers on incident creation and sets the severity to 'High' for all incidents from that rule.
AnswerC

The severity is configurable in the rule.

Why this answer

Option A is correct because you can set the severity in the analytics rule wizard under 'Incident settings'. Option B is wrong because incident severity is set in the rule, not in the playbook. Option C is wrong because automation rules can change severity but only after incident creation; it's better to set it in the rule.

Option D is wrong because the entity mapping does not affect severity.

79
MCQmedium

Your organization uses Microsoft Sentinel and wants to create a custom analytics rule to detect failed logon attempts from a specific IP address. The rule should run every hour and look for the event in the SecurityEvent table. However, the rule never triggers even though the events exist. What is the most likely cause?

A.The entity mapping in the rule is incomplete.
B.The Log Analytics agent is not installed on the machines generating the events.
C.The analytics rule does not have the required permissions to query the workspace.
D.The rule query uses a time range that is too short.
AnswerB

Correct: agent must be installed to ingest SecurityEvent.

Why this answer

Option A is correct because the SecurityEvent table requires the Log Analytics agent to be installed on the source machines, and if not, events won't be sent. Option B (permissions) would show an error. Option C (time range) is possible but unlikely.

Option D (entity mapping) is not required for triggering.

80
MCQeasy

A company is deploying Microsoft Sentinel in a new Azure subscription. The security team wants to ingest Windows security events from on-premises servers. Which data connector should they use?

A.Windows Security Events via AMA (Azure Monitor Agent)
B.Office 365 connector
C.Azure Active Directory connector
D.Common Event Format (CEF) connector
AnswerA

The AMA-based connector is the modern method to collect Windows security events.

Why this answer

Option A is correct because the Windows Security Events via AMA connector is the current recommended method for streaming Windows security events to Azure Sentinel using the Azure Monitor Agent. Option B is wrong because the Azure Active Directory connector is for Microsoft Entra ID logs, not Windows events. Option C is wrong because the Office 365 connector is for Office logs.

Option D is wrong because the Common Event Format (CEF) connector is for syslog from security appliances, not Windows security events.

81
Multi-Selecteasy

Which TWO data sources can be connected to Microsoft Sentinel using built-in data connectors? (Choose two.)

Select 2 answers
A.Amazon Web Services (AWS) CloudTrail
B.Microsoft 365 Defender incidents
C.Azure Active Directory (Microsoft Entra ID) logs
D.MySQL audit logs
E.On-premises Windows Firewall logs
AnswersB, C

Sentinel has a built-in connector for M365 Defender incidents.

Why this answer

Sentinel has built-in connectors for Azure Active Directory (Entra ID) and Microsoft 365 Defender. Option A and B are correct. Option C (AWS CloudTrail) requires a connector via AWS but is not built-in (requires AWS S3).

Option D (MySQL audit logs) is not a built-in connector. Option E (On-premises Windows Firewall) requires a Log Analytics agent or AMA, not a built-in connector.

82
Multi-Selecthard

A SOC team uses Microsoft Sentinel. They want to create an analytics rule that detects excessive failed logons from a single IP address. The rule must run every 5 minutes and look back 1 hour. Which THREE components are required to configure this scheduled query rule?

Select 3 answers
A.Fusion rule
B.Kusto Query Language (KQL) query
C.Alert threshold (number of results)
D.Incident configuration (e.g., grouping)
E.Playbook
AnswersB, C, D

The query defines the detection logic.

Why this answer

Options A, C, and E are correct. A KQL query defines the detection logic (A). An incident configuration is required to create incidents from alerts (C).

An alert threshold (e.g., 'Generate alert based on number of results') is required to specify the number of failed logons that trigger an alert (E). Option B is wrong because a playbook is optional, not required. Option D is wrong because a fusion rule is a different type of analytics rule, not a component of a scheduled query rule.

83
MCQmedium

Your organization uses Microsoft Sentinel to detect and respond to threats. You need to create an automation rule that automatically closes low-severity incidents after 24 hours of inactivity. The rule should apply to all analytics rules. What should you configure?

A.Create a playbook that runs on a schedule and closes incidents with low severity.
B.Use an Azure Logic App to query Sentinel for low-severity incidents older than 24 hours and close them.
C.Modify each analytics rule to set the incident expiration to 24 hours.
D.Create an automation rule with condition 'Severity equals Low' and action 'Close incident' after 24 hours.
AnswerD

Automation rules can close incidents based on conditions and time triggers.

Why this answer

Option B is correct because automation rules can trigger on incident creation or update, and you can set conditions (e.g., severity equals Low) and actions (e.g., close incident). The rule should be applied to all analytics rules by not specifying a specific rule. Option A is wrong because playbooks are used for complex automation, but the simple close action can be done directly in automation rules.

Option C is wrong because the 'expiration' setting is for scheduled rules, not for closing incidents. Option D is wrong because Azure Logic Apps is not directly integrated into Sentinel automation rules without a playbook.

84
MCQhard

Refer to the exhibit. You are assigning this Azure Policy to a management group. The goal is to automatically deploy the Azure Monitor Agent to Windows VMs that do not have it. However, after assignment, you notice that the policy is not deploying the agent. What is the most likely reason?

A.The effect parameter is set to 'AuditIfNotExists'.
B.The policy mode should be 'All' instead of 'Indexed'.
C.The policy is a built-in policy and cannot be assigned.
D.The policy definition is incomplete; it lacks the deployment specification for the DeployIfNotExists effect.
AnswerD

A DeployIfNotExists policy requires a 'deployment' block with the template to deploy the agent.

Why this answer

Option D is correct because the policy rule only checks if the resource type is a virtual machine, but it does not check whether the agent is already installed or not; it will attempt to deploy on every VM, but the deployment action is missing from the policy definition. The policy snippet only shows the condition and effect, but the actual deployment task (the 'deployment' property) is not included. Option A is wrong because the policy is built-in and includes all details.

Option B is wrong because the policy mode 'Indexed' is correct for VMs. Option C is wrong because the effect 'DeployIfNotExists' is allowed.

85
MCQeasy

Your company is using Microsoft Sentinel to monitor security events. You need to ensure that all incidents generated in Sentinel are automatically sent to a third-party ticketing system via a webhook. Which Sentinel feature should you configure?

A.Create an automation rule that runs a playbook when an incident is created.
B.Use a watchlist to map incidents to ticketing system IDs.
C.Create a workbook that exports incidents to the ticketing system.
D.Configure a data connector to the ticketing system.
AnswerA

Automation rules can trigger playbooks that use webhooks.

Why this answer

Option B is correct because Automation rules can trigger a playbook that uses a webhook. Option A is wrong because workbooks are for visualization. Option C is wrong because Data connectors ingest data.

Option D is wrong because Watchlists are for reference data.

86
MCQmedium

Your organization uses Microsoft Defender for Cloud with the CSPM plan enabled. You need to ensure that all Azure subscriptions have Microsoft Defender for Cloud's auto-provisioning enabled for the Log Analytics agent. Which Azure Policy initiative should you assign?

A.Configure backup on virtual machines
B.CIS Microsoft Azure Foundations Benchmark
C.Azure Security Benchmark
D.Deploy Log Analytics agent for Microsoft Defender for Cloud
AnswerD

This initiative contains policies to deploy the Log Analytics agent automatically to VMs for Defender for Cloud.

Why this answer

The Azure Policy initiative 'Deploy Log Analytics agent for Microsoft Defender for Cloud' includes policies to auto-provision the Log Analytics agent on VMs. Option B is correct. Option A is a built-in initiative for general security configuration, not specifically for auto-provisioning.

Option C is for regulatory compliance. Option D is for Azure Backup.

87
Multi-Selecteasy

Your company uses Microsoft Defender for Cloud to protect Azure resources. You need to enable the enhanced security features (formerly Azure Defender) for all supported resource types. Which TWO plans should you enable? (Choose TWO that apply.)

Select 2 answers
A.Servers
B.Azure Active Directory
C.Microsoft 365 Defender
D.Microsoft Sentinel
E.Cloud Security Posture Management (CSPM)
AnswersA, E

Correct. The Servers plan provides threat protection for VMs.

Why this answer

Option A and D are correct. The 'Servers' plan covers Azure VMs and on-premises servers. The 'Cloud Security Posture Management (CSPM)' plan is the foundational plan that includes secure score, recommendations, and compliance.

Option B is wrong because 'Azure Active Directory' is not a separate plan within Defender for Cloud; identity protection is covered by Microsoft Defender for Identity. Option C is wrong because 'Microsoft Sentinel' is a separate service. Option E is wrong because 'Microsoft 365 Defender' is a separate product.

88
MCQeasy

Your security team wants to use Microsoft Defender for Cloud's 'Just-In-Time (JIT) VM access' to reduce the attack surface. Which Azure policy must be enabled on the subscription to use JIT?

A.Microsoft Defender for Databases
B.Microsoft Defender for Servers
C.Microsoft Defender for Storage
D.Microsoft Defender for Key Vault
AnswerB

JIT VM access is part of Defender for Servers.

Why this answer

JIT VM access is a feature of Microsoft Defender for Cloud's Cloud Workload Protection Platform (CWPP) and requires the 'Servers' plan to be enabled. Option A is correct. Option B is for databases.

Option C is for storage. Option D is for Key Vault.

89
MCQeasy

You are evaluating Microsoft Defender for Cloud's cloud security posture management (CSPM) capabilities. You need to identify misconfigurations across your Azure, AWS, and GCP environments. What should you enable?

A.Ingest logs from AWS and GCP into Microsoft Sentinel.
B.Create Azure Policy assignments for AWS and GCP resources.
C.Deploy Azure Arc on VMs in AWS and GCP.
D.Enable the 'Defender for Cloud' multicloud connector for AWS and GCP.
AnswerD

This allows CSPM for AWS and GCP resources alongside Azure.

Why this answer

Defender for Cloud's multicloud environment settings allow you to connect AWS and GCP accounts to Azure for unified CSPM. Option B is wrong because Azure Arc is for on-premises, not other clouds. Option C is wrong because Microsoft Sentinel is a SIEM, not CSPM.

Option D is wrong because Policy is Azure-only.

90
MCQeasy

A company is deploying Microsoft Sentinel for the first time. The security team wants to ensure that all Azure activity logs, including data plane operations from Azure Storage, are ingested into Sentinel. Which data connector should they enable?

A.Azure Active Directory (now Microsoft Entra ID) data connector
B.Azure Key Vault data connector
C.Azure Activity log data connector
D.Azure Storage Account data connector
AnswerD

Correct: ingests data plane logs.

Why this answer

Option B is correct because Azure Activity log includes control plane operations; for data plane operations (e.g., blob reads), you need the Azure Storage Account data connector. Option A (Azure Activity) only covers control plane. Option C (Azure AD logs) is for identity.

Option D (Azure Key Vault) is specific to Key Vault.

91
MCQhard

A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?

A.The user does not have Security Admin permissions on the subscription.
B.The subscription does not have any tags applied.
C.The subscription does not have the default policy initiative assigned.
D.The subscription is not registered with the Microsoft.Security resource provider.
AnswerD

Registration is required for Defender for Cloud to assess the subscription.

Why this answer

Option C is correct because a subscription must be registered with the Microsoft Defender for Cloud resource provider (Microsoft.Security) to be assessed. Option A is wrong because user permissions do not affect compliance data generation. Option B is wrong because tags are not required for compliance scanning.

Option D is wrong because the default policy initiative applies automatically; there is no need to assign it manually.

92
Multi-Selecthard

Which THREE Microsoft Defender for Cloud features require Microsoft Defender for Servers Plan 2? (Choose three.)

Select 3 answers
A.File Integrity Monitoring (FIM)
B.Just-In-Time VM access
C.Adaptive application controls
D.Adaptive network hardening
E.Integrated vulnerability assessment (Qualys)
AnswersA, C, D

FIM is a Plan 2 feature.

Why this answer

Plan 2 includes adaptive application controls, file integrity monitoring, and adaptive network hardening. Option A (JIT VM access) is available in Plan 1. Option B (adaptive application controls) requires Plan 2.

Option C (file integrity monitoring) requires Plan 2. Option D (adaptive network hardening) requires Plan 2. Option E (vulnerability assessment) is available in Plan 1.

93
MCQmedium

Your company uses Microsoft Defender for Cloud's Security Posture Management (CSPM) features. You need to identify resources that are not compliant with the organization's security baseline. What should you do?

A.View the secure score
B.Review the security recommendations
C.Use the regulatory compliance dashboard
D.Use the inventory blade
AnswerC

Shows compliance status against standards and baselines.

Why this answer

Option C is correct because the regulatory compliance dashboard shows compliance status against various standards, including custom baselines. Option A is wrong because secure score is an aggregate score, not a detailed compliance view. Option B is wrong because recommendations are individual findings, not a compliance overview.

Option D is wrong because inventory shows resources, not compliance.

94
MCQhard

You are a security analyst at Fabrikam Inc. You have deployed Microsoft Sentinel and connected it to Microsoft 365 Defender (formerly Microsoft Threat Protection). You have also enabled UEBA and set up analytics rules for detecting suspicious sign-ins. Recently, you noticed that some high-severity incidents from Microsoft 365 Defender are not appearing in Microsoft Sentinel. You have verified that the Microsoft 365 Defender connector is enabled and that incidents are being sent to the workspace. However, the incidents are not being created as Sentinel incidents. What is the most likely reason?

A.The analytics rule for sign-in detection is conflicting with the Microsoft 365 Defender connector.
B.The 'Microsoft 365 Defender' incident creation rule in Microsoft Sentinel is disabled.
C.The Microsoft 365 Defender connector requires a premium license.
D.Microsoft Sentinel cannot create incidents from Microsoft 365 Defender incidents; only alerts can be ingested.
AnswerB

Sentinel uses a built-in rule to create incidents from M365 Defender incidents; if disabled, incidents won't appear.

Why this answer

By default, Microsoft Sentinel can create incidents from Microsoft 365 Defender incidents, but the incident creation rule must be enabled. Option A is correct. Option B is incorrect because the connector does not need to be premium.

Option C is incorrect because you can create incidents from M365 Defender incidents. Option D is incorrect because the analytics rule is for generating alerts, not for ingesting incidents.

95
MCQeasy

You need to configure a continuous export of Microsoft Defender for Cloud alerts to a third-party SIEM. Which feature should you use?

A.Create an Azure Logic App to periodically query and send alerts.
B.Use the Defender for Cloud REST API to pull alerts.
C.Configure Azure Monitor agent on all VMs.
D.Use the continuous export feature in Defender for Cloud to stream alerts to an Event Hubs namespace.
AnswerD

Continuous export supports streaming to Event Hubs for SIEM integration.

Why this answer

Option C is correct because continuous export in Defender for Cloud can stream alerts to Event Hubs, which can be consumed by a SIEM. Option A is wrong because Azure Monitor agent is for collecting logs, not exporting alerts. Option B is wrong because Logic Apps can be used but are not the primary built-in method.

Option D is wrong because API integration requires custom development.

96
MCQhard

You are a security architect for a large enterprise with 500 Azure subscriptions organized into a management group hierarchy. The company uses Microsoft Defender for Cloud to assess security posture. The CISO wants a single dashboard view of the secure score across all subscriptions, but with the ability to drill down into individual management groups. You need to recommend a solution that provides this capability with minimal administrative overhead. The company already has Log Analytics workspaces deployed per region. Which approach should you take?

A.Export the secure score to a Log Analytics workspace and create a custom workbook
B.Integrate Defender for Cloud with Microsoft Power BI and create a report
C.Use the Microsoft Defender for Cloud dashboard in the Azure portal, selecting the root management group to view aggregated score
D.Use the Microsoft Defender for Cloud REST API to retrieve the secure score and build a custom dashboard
AnswerC

The Defender for Cloud dashboard inherently shows secure score per management group, allowing drill-down.

Why this answer

Option B is correct because the secure score is aggregated at the management group level in the Defender for Cloud dashboard; you can view the score per management group and drill down. Option A is wrong because exporting to a Log Analytics workspace is for advanced analytics, not for a quick dashboard view. Option C is wrong because the export API is for programmatic access, not a dashboard.

Option D is wrong because Power BI integration requires additional setup and is not the simplest approach for a single dashboard.

97
MCQhard

Your company has Microsoft Sentinel deployed in multiple workspaces across several Azure regions. The security operations team wants to query data from all workspaces centrally using a single KQL query. What feature should you implement?

A.Configure Log Analytics workspaces as linked to a central workspace.
B.Use cross-workspace queries with the workspace() expression in KQL.
C.Export all data to Azure Data Explorer and query there.
D.Use the Microsoft Sentinel SIEM connector to aggregate data.
AnswerB

The workspace() function allows querying multiple workspaces in a single KQL query.

Why this answer

Option B is correct because cross-workspace queries in Sentinel allow running a single KQL query across multiple workspaces. Option A is wrong because Log Analytics workspaces are the data stores, not a query method across workspaces. Option C is wrong because Azure Data Explorer is not integrated natively for this purpose.

Option D is wrong because the SIEM connector is for data ingestion, not for cross-workspace querying.

98
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all Azure SQL databases have Advanced Data Security enabled. What should you do?

A.Enable Advanced Data Security on each database manually
B.Use the Azure Security Center dashboard to enable it for all databases
C.Configure the Azure SQL Firewall to allow only secure connections
D.Create an Azure Policy to enforce Advanced Data Security
AnswerD

Azure Policy can audit or enforce the setting across all databases.

Why this answer

Option C is correct because you can create an Azure Policy to audit or enforce the setting. Option A is wrong because enabling on each database individually is not scalable. Option B is wrong because Azure Security Center does not provide a global enablement switch for SQL databases.

Option D is wrong because Azure SQL Firewall rules are for network access, not security features.

99
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to create a custom analytics rule that triggers an incident when a user executes a suspicious PowerShell command on a Windows server. The logs are stored in the 'DeviceEvents' table from Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). The rule should run every 5 minutes. Which scheduling frequency and query period should you configure?

A.Run query every 10 minutes with a query period of 5 minutes
B.Run query every 5 minutes with a query period of 1 minute
C.Run query every 5 minutes with a query period of 5 minutes
D.Run query every 5 minutes with a query period of 10 minutes
AnswerC

The query period should match the frequency to avoid duplication.

Why this answer

For a rule that runs every 5 minutes, the query period should be set to 5 minutes to avoid duplication. Option B is correct. Option A would cause overlapping queries.

Option C and D are not suitable for a 5-minute frequency.

100
MCQhard

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to ensure that all Azure subscriptions have the 'MFA should be enabled on accounts with owner permissions' security control applied. The compliance dashboard shows this control as 'Unhealthy' for several subscriptions. What should you do to automatically remediate non-compliant subscriptions?

A.Enable 'Enforce MFA' in Azure AD Conditional Access policy for all users.
B.Run a remediation task from Defender for Cloud for the non-compliant subscriptions.
C.Create an Azure Policy initiative that enforces MFA for owner accounts and assign it to the subscriptions.
D.Configure a Microsoft Sentinel playbook triggered by a compliance alert to add MFA.
AnswerC

Correct: policy enforces compliance automatically.

Why this answer

Option C is correct because you can create an Azure Policy initiative with a 'DeployIfNotExists' effect that enforces MFA on owner accounts. Option A (turn on 'Enforce MFA' in conditional access) applies to all users but not subscriptions automatically. Option B (remediation task) only fixes existing non-compliance but does not prevent future drift; however, it is part of the solution.

Option D (Sentinel playbook) is custom and not automatic. The best approach is to use Azure Policy to enforce.

101
MCQmedium

You execute the KQL query shown in the exhibit in Microsoft Sentinel. The query returns no results, but you know there have been high-severity malware alerts in the past week. What is the most likely issue?

A.The SecurityAlert table does not contain malware alerts.
B.The time range filter is incorrect.
C.There are no high-severity alerts in the past week.
D.The alert name is case-sensitive and does not exactly match 'Malware'.
AnswerD

Correct. KQL is case-sensitive, so 'Malware' may not match actual alert names.

Why this answer

Option D is correct because the query filters on AlertName containing "Malware" (case-sensitive). If the actual alert name uses a different case, like "malware" or "MalwareDetected", it might not match. Option A is wrong because if there were no alerts, other filters would also return empty.

Option B is wrong because the data source is different; SecurityAlert table contains alerts from various sources. Option C is wrong because the time range is valid.

102
MCQhard

You are the security engineer for a multinational company that uses Azure to host critical workloads. The company has deployed Microsoft Defender for Cloud with the enhanced security features enabled on all subscriptions. Recently, a security audit revealed that several virtual machines (VMs) in the production environment are missing critical security updates. The audit report indicates that the VMs are not being assessed for missing updates by Defender for Cloud. You need to ensure that all VMs are automatically assessed for missing OS updates using Defender for Cloud's vulnerability assessment capabilities. The solution must minimize administrative overhead and should not require manual installation of agents on existing VMs. What should you do?

A.Enable the 'SQL servers on machines' plan in Defender for Cloud.
B.Enable the 'Servers' plan in Defender for Cloud and ensure that the 'Vulnerability assessment for machines' setting is turned on.
C.Configure a vulnerability assessment solution from the Azure Marketplace and assign it to the VMs.
D.Deploy the Log Analytics agent to all VMs using Azure Policy.
AnswerB

This enables built-in vulnerability assessment using Microsoft Defender Vulnerability Management, which automatically assesses VMs for missing updates without manual agent installation.

103
MCQeasy

Your security team uses Microsoft Sentinel to detect threats. You need to set up a rule that triggers an alert when a user account is created in Microsoft Entra ID. Which rule type should you configure?

A.Near-Real-Time (NRT) rule
B.Anomaly rule
C.Fusion rule
D.Scheduled query rule
AnswerD

Correct: Scheduled rules run periodically on log data to detect specific events like user creation.

Why this answer

Option B is correct because Scheduled query rules run periodically on log data. Option A is wrong because NRT rules are for near-real-time detection but are more suitable for data arriving in a stream. Option C is wrong because Fusion is for advanced multistage attacks.

Option D is wrong because Anomaly rules use machine learning to detect unusual patterns, not specific events.

104
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Cloud to monitor security posture. You notice that the recommendation 'MFA should be enabled on accounts with owner permissions on your subscription' shows a status of 'Unhealthy' for some accounts, but those accounts already have Microsoft Entra Conditional Access policies requiring MFA. What is the most likely reason for the discrepancy?

A.The Conditional Access policies are not applied to all users; some users bypass MFA.
B.The accounts are guest users from another tenant; MFA cannot be enforced.
C.Defender for Cloud evaluates the 'per-user' MFA state, which is separate from Conditional Access.
D.The recommendation requires MFA to be configured in the subscription's access control (IAM) blade.
AnswerC

Defender for Cloud checks if MFA is enabled per user, not via Conditional Access.

Why this answer

Option B is correct because Defender for Cloud checks the 'per-user' MFA state, not Conditional Access policies. Option A is wrong because MFA is enabled correctly. Option C is wrong because guest accounts are also subject to MFA requirements.

Option D is wrong because the recommendation is based on Microsoft Entra ID data.

105
MCQmedium

Refer to the exhibit. You are reviewing the Microsoft Defender for Cloud settings for a subscription. The JSON shows that 'autoProvision' is set to true. What does this mean?

A.All Microsoft Defender plans are automatically enabled for new resources
B.The Log Analytics agent is automatically installed on new Azure VMs
C.Security policies are automatically assigned to new resource groups
D.Continuous export of security alerts is enabled
AnswerB

AutoProvision ensures the agent is installed for data collection.

Why this answer

Option B is correct because autoProvision refers to automatic provisioning of the Log Analytics agent on new VMs. Option A is wrong because autoProvision does not enable all Defender plans. Option C is wrong because it does not automatically assign policies.

Option D is wrong because it does not enable continuous export.

106
MCQhard

Your company uses Microsoft Sentinel to monitor security events. You are asked to create an analytics rule that detects when a user outside of business hours (9 PM to 5 AM) performs a high-risk operation like deleting a large number of Azure resources. The rule must trigger an incident and assign it to the SOC team. Which rule type and configuration should you use?

A.Create a Scheduled query rule with a KQL query filtering sign-in logs and resource deletion events outside business hours.
B.Create an Anomaly rule based on historical user behavior.
C.Create a Near-real-time (NRT) rule with a query that detects resource deletions.
D.Create a Fusion rule that correlates alerts from Microsoft Defender XDR.
AnswerA

Scheduled rules allow complex KQL queries and custom scheduling.

Why this answer

Option A is correct because scheduled query rules can run at defined intervals and use KQL to filter events based on time and activity. Option B is wrong because NRT rules are for near-real-time detection but are limited to simple conditions. Option C is wrong because anomaly rules use machine learning for baseline deviations, not specific time-based conditions.

Option D is wrong because fusion rules correlate alerts from multiple sources, not specific user activities.

107
MCQhard

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to collect logs from on-premises Linux servers and send them to Sentinel. The solution must minimize latency and administrative overhead. What should you deploy?

A.Connect servers via Azure Arc and install the Azure Monitor Agent
B.Use the Microsoft Monitoring Agent to send logs directly
C.Configure a syslog server to forward logs to the Log Analytics workspace
D.Install the Log Analytics agent on each server
AnswerA

Azure Arc allows centralized management and the Azure Monitor Agent is the modern agent.

Why this answer

Option C is correct because Azure Arc enables management of on-premises servers and allows installation of the Azure Monitor Agent with minimal overhead. Option A is wrong because the legacy Log Analytics agent is deprecated. Option B is wrong because Syslog forwarding adds latency.

Option D is wrong because the Microsoft Monitoring Agent is the legacy agent.

108
Multi-Selecteasy

You are deploying Microsoft Sentinel in a new Azure environment. Which THREE resources are required to deploy a Sentinel workspace?

Select 3 answers
A.Contributor permissions on the resource group
B.The Microsoft.OperationsManagement resource provider registered
C.Microsoft Defender for Cloud enabled
D.A Log Analytics workspace
E.The Microsoft.Sentinel resource provider registered
AnswersA, B, D

Needed to enable Sentinel on the workspace.

Why this answer

Option A, Option B, and Option D are correct because Sentinel requires a Log Analytics workspace, a Contributor role on the resource group to deploy resources, and the Microsoft.OperationsManagement resource provider to be registered. Option C is wrong because the Azure Sentinel resource provider is not required; the OperationsManagement provider is needed. Option E is wrong because Microsoft Defender for Cloud is not a prerequisite.

109
MCQmedium

Your security team receives a high-priority alert from Microsoft Sentinel indicating a potential brute-force attack against an Azure SQL Database. The alert was generated by an analytics rule using the following KQL query: 'SigninLogs | where ResultType == "50057" | summarize Count = count() by UserPrincipalName, IPAddress | where Count > 10'. What is the most likely cause of the alert?

A.Multiple failed MFA attempts by a user.
B.A user successfully signed in after many attempts.
C.Multiple sign-in attempts using a disabled account from the same IP address.
D.Multiple sign-in attempts from a non-existent user account.
AnswerC

ResultType 50057 means account disabled; query groups by account and IP.

Why this answer

Option B is correct because ResultType 50057 indicates 'User account is disabled', so the alert is triggered when a disabled account has more than 10 sign-in attempts from the same IP. Option A is wrong because MFA failure is a different result type. Option C is wrong because the query does not check if the user is enabled.

Option D is wrong because the query specifically targets a disabled account, not a non-existent one.

110
Multi-Selectmedium

Which TWO are capabilities of Microsoft Sentinel UEBA? (Choose two.)

Select 2 answers
A.Integration with external threat intelligence feeds
B.Entity pages with timelines and related events
C.Automatic incident creation for all detected anomalies
D.Peer group analysis to detect anomalies
E.Automated response actions like blocking IPs
AnswersB, D

Correct: UEBA provides entity pages.

Why this answer

Options A and D are correct. UEBA can detect anomalous behavior based on peer group analysis (A) and provide entity pages with investigative insights (D). Option B is wrong because threat intelligence feeds are separate.

Option C is wrong because UEBA does not automatically create incidents; analytics rules do. Option E is wrong because automated response is via playbooks, not UEBA.

111
MCQmedium

You are investigating a security incident in Microsoft Sentinel. The incident involves multiple alerts from different data sources. You need to correlate the alerts to determine the full attack chain. Which Microsoft Sentinel feature should you use?

A.Incident investigation
B.Analytics rules
C.Playbooks
D.Workbooks
AnswerA

Allows you to explore entities and alerts to understand the attack path.

Why this answer

Option B is correct because incident investigation allows you to visualize and correlate alerts, entities, and events. Option A is wrong because workbooks are for dashboards, not correlation. Option C is wrong because playbooks are for automated response.

Option D is wrong because analytics rules create alerts, but correlation is done via investigation.

112
MCQhard

A financial services company uses Microsoft Sentinel to detect ransomware activity. They want to correlate alerts from multiple sources to reduce false positives. They have enabled Microsoft Defender for Cloud, Microsoft Defender XDR, and Azure Firewall logs. Which Sentinel feature should they use to create a single alert from multiple signals?

A.Near-real-time (NRT) rules
B.Fusion (machine learning) rules
C.Anomaly detection rules
D.Scheduled query rules
AnswerB

Fusion correlates alerts from multiple products to detect multi-stage attacks.

Why this answer

Option D is correct because Fusion is a machine learning-based correlation engine that combines alerts from multiple sources to detect multi-stage attacks like ransomware. Option A is wrong because Scheduled query rules are for single data source queries. Option B is wrong because NRT rules provide near real-time but not correlation.

Option C is wrong because Anomaly detection identifies unusual behavior but does not correlate across alerts.

113
MCQeasy

A security analyst needs to create a custom alert in Microsoft Defender for Cloud that triggers when a user creates a public IP address in the 'production' resource group. Which type of alert should they use?

A.Azure Sentinel analytics rule
B.Azure Activity Log alert
C.Custom alert rule in Defender for Cloud
D.Custom recommendation based on Azure Policy
AnswerD

Custom recommendations in Defender for Cloud are built on Azure Policy initiatives.

Why this answer

Option D is correct because custom alerts in Defender for Cloud are created using custom recommendations based on Azure Policy. Option A is wrong because Azure Activity Log alerts are in Azure Monitor, not Defender for Cloud. Option B is wrong because Azure Sentinel analytics rules are for Sentinel, not Defender for Cloud.

Option C is wrong because Microsoft Defender for Cloud does not have native custom alert rules via a portal wizard; it uses Azure Policy.

114
MCQeasy

Your security team has deployed Microsoft Sentinel. They need to create an analytics rule that uses a custom KQL query to detect failed logon attempts from a specific IP address range and automatically creates an incident with a severity of 'High'. Which rule type should they use?

A.Anomaly rule
B.NRT (Near-Real-Time) analytics rule
C.Fusion rule
D.Scheduled query rule
AnswerD

Scheduled rules allow custom KQL, scheduling, and incident creation with severity.

Why this answer

Option B is correct because a Scheduled query rule allows custom KQL and automatic incident creation. Option A is wrong because NRT rules are for near-real-time but require simpler queries. Option C is wrong because Anomaly rules are based on ML.

Option D is wrong because Fusion rules correlate multiple signals.

115
MCQmedium

Your company deploys a new Azure application gateway with WAF policy in prevention mode. After deployment, users report that legitimate traffic is being blocked. You need to identify which WAF rules are causing the blocks without affecting the security posture. What should you do?

A.Disable the WAF policy temporarily.
B.Create a custom rule to allow all traffic.
C.Set the WAF policy to custom rules only.
D.Change the WAF policy mode to detection.
AnswerD

Detection mode logs blocks without acting on them.

Why this answer

Option D is correct because switching to detection mode logs WAF events without blocking, allowing analysis. Option A is wrong because disabling WAF removes protection. Option B is wrong because changing to custom rules might not pinpoint the cause.

Option C is wrong because custom rules are not diagnostic.

116
MCQeasy

Your company has a hybrid environment with Azure resources and on-premises servers. You have deployed Microsoft Sentinel and connected it to Azure AD, Azure Activity Logs, and Windows Security Events from on-premises servers via the Log Analytics gateway. You need to create a workbook that shows the number of sign-ins from each country over the last 24 hours. The data source is the SigninLogs table. However, the workbook does not display any data. You verify that the Log Analytics workspace is receiving sign-in logs from Azure AD. Which of the following is the most likely reason the workbook shows no data?

A.The workbook uses a different visualization type that requires KQL.
B.The Log Analytics gateway is blocking the sign-in logs.
C.The workbook's time range filter is set to 'Last 7 days' but the query uses a 24-hour filter incorrectly.
D.The Log Analytics workspace is not receiving sign-in logs from Azure AD.
AnswerC

Workbook time range and query time filter must align; if query uses 'now-24h' but workbook sets last 7 days, it should still show data; more likely the query itself has an issue.

Why this answer

Option A is correct because workbook queries may have a time filter that defaults to a different range; the 'time' parameter in the query might be set incorrectly. Option B is wrong because the workspace is receiving logs. Option C is wrong because the gateway is for on-premises, not for Azure AD logs which go directly.

Option D is wrong because KQL is required for workbooks.

117
MCQmedium

Your organization uses Microsoft Defender for Cloud to monitor Azure SQL databases. You receive an alert indicating a potential SQL injection attack. What is the most effective immediate action to validate and respond?

A.Enable Transparent Data Encryption (TDE) on the database
B.Run a vulnerability assessment on the database
C.Review the SQL database auditing logs to identify the source queries
D.Immediately block all IP addresses from the alert in the SQL firewall
AnswerC

Auditing logs provide detailed query information.

Why this answer

Option C is correct because the SQL database auditing records show the actual queries, allowing validation. Option A is wrong because enabling TDE does not help validate an attack. Option B is wrong because vulnerability assessments are not real-time.

Option D is wrong because firewall rules may block legitimate traffic.

118
MCQeasy

You need to enable Microsoft Defender for Cloud's enhanced security features for an Azure subscription. Which of the following is required?

A.Enable all Defender plans at once.
B.Enable 'Microsoft Defender for Cloud' at the subscription level.
C.Deploy a Log Analytics workspace in the same region.
D.Assign an Azure Policy to enforce Defender for Cloud.
AnswerB

Enhanced features are enabled per subscription.

Why this answer

Option B is correct because Enhanced security features (formerly Azure Defender) are enabled at the subscription level. Option A is wrong because Log Analytics is optional. Option C is wrong because you can enable individual plans.

Option D is wrong because Azure Policy is not a prerequisite.

119
MCQhard

You are designing a Microsoft Sentinel solution for a multinational company. The company requires that security incidents be correlated across regions, but data residency mandates require logs to remain in their original region. What should you implement?

A.Deploy one Microsoft Sentinel workspace per region and use cross-workspace querying for correlation
B.Deploy a separate Log Analytics workspace per region, but only one Sentinel workspace
C.Deploy a single Microsoft Sentinel workspace in a central region and use Azure Lighthouse
D.Deploy a single Microsoft Sentinel workspace and use data collection rules to filter logs
AnswerA

Cross-workspace querying allows correlation while keeping data resident.

Why this answer

Option A is correct because one Sentinel workspace per region with cross-workspace querying allows correlation while keeping data resident. Option B is wrong because a single workspace would violate data residency. Option C is wrong because a single workspace with a different data collection rule does not solve residency.

Option D is wrong because a different log analytics workspace per region is not correlated.

120
Multi-Selectmedium

Which THREE of the following are features of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM)?

Select 3 answers
A.Vulnerability scanning of containers
B.Security recommendations for resources
C.Secure Score
D.Threat detection for VMs
E.Regulatory compliance assessments
AnswersB, C, E

CSPM generates recommendations to improve security.

Why this answer

Options A, B, and D are correct. Option A: Secure Score is a core CSPM feature. Option B: Regulatory compliance assessments are part of CSPM.

Option D: Security recommendations are a key output of CSPM. Option C is wrong because threat detection is part of Defender for Cloud's workload protection, not CSPM. Option E is wrong because vulnerability scanning is also a workload protection feature.

121
Multi-Selecthard

Which THREE are valid ways to trigger a playbook in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Manually from an incident by selecting 'Run playbook'.
B.From an automation rule when an incident is created.
C.From a watchlist item update.
D.From an entity page by clicking 'Investigate'.
E.From an automation rule when an alert is created.
AnswersA, B, E

Analysts can manually run playbooks from incidents.

Why this answer

Playbooks can be triggered automatically from alerts or incidents, and manually from incidents. Option A is wrong because playbooks cannot be triggered from watchlists. Option B is correct: automation rules can trigger playbooks on alert creation.

Option C is correct: automation rules can trigger on incident creation. Option D is correct: analysts can manually run a playbook from an incident. Option E is wrong because playbooks are not triggered from entity pages directly.

122
MCQhard

Your company is using Microsoft Defender for Cloud to monitor hybrid workloads that include on-premises servers and Azure VMs. You need to ensure that all servers are covered by the integrated vulnerability assessment solution (Microsoft Defender Vulnerability Management). What is the minimum requirement for on-premises servers?

A.They must have a site-to-site VPN connection to Azure and be registered in Azure Arc.
B.They must be part of an Active Directory domain and have the Log Analytics agent installed.
C.They must be connected to Azure via Azure Arc and have the Azure Monitor Agent installed.
D.They must be onboarded to Microsoft Defender for Cloud via Azure Arc and have the Microsoft Defender for Endpoint agent installed.
AnswerC

Azure Arc is required for hybrid servers, and Azure Monitor Agent enables vulnerability assessment.

Why this answer

Option D is correct because the integrated vulnerability assessment (Microsoft Defender Vulnerability Management) for on-premises servers requires that they are onboarded to Microsoft Defender for Cloud with Azure Arc and have the Azure Monitor Agent installed. Option A is wrong because Log Analytics agent is deprecated for Defender for Cloud. Option B is wrong because Defender for Cloud does not require a VPN.

Option C is wrong because Azure Arc is required for hybrid servers.

123
MCQhard

Your organization uses Microsoft Sentinel to detect threats across Azure, AWS, and on-premises environments. You need to create an analytics rule that will generate an incident when more than 10 failed logon attempts occur within 5 minutes from the same source IP. Which rule type should you use?

A.Near-real-time (NRT) rule
B.Fusion rule
C.ML Behavior Analytics rule
D.Scheduled query rule
AnswerA

NRT rules run every minute and are good for threshold alerts.

Why this answer

Option C is correct because NRT rules run near real-time and are ideal for threshold-based detection over short windows. Option A is wrong because scheduled rules have a delay and are not near real-time. Option B is wrong because ML Behavior Analytics uses machine learning, not static thresholds.

Option D is wrong because Fusion is for advanced multistage attacks.

124
MCQeasy

You are configuring Microsoft Defender for Cloud for a multi-subscription environment. You need to ensure that security alerts are aggregated in a central location and that a single team can manage recommendations across all subscriptions. What should you use?

A.Use a resource group to collect all security resources.
B.Use a single Log Analytics workspace for all subscriptions.
C.Assign a management group to aggregate security data.
D.Create a single subscription for all resources.
AnswerC

Management groups enable cross-subscription management and alert aggregation.

Why this answer

Option A is correct because a management group allows policy and alert aggregation across subscriptions. Option B is wrong because a Log Analytics workspace stores logs but doesn't aggregate alerts by default. Option C is wrong because a single subscription doesn't aggregate others.

Option D is wrong because a resource group is too granular.

125
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure VMs. You notice that some VMs are not reporting security data. You verify that the Log Analytics agent is installed and running. What is the most likely cause?

A.The VMs are using the legacy Log Analytics agent instead of the Azure Monitor Agent
B.Auto-provisioning is disabled for the subscription
C.The VMs are running an unsupported operating system
D.The VMs do not have network connectivity to the Log Analytics workspace
AnswerA

The legacy agent may not be fully supported.

Why this answer

Option B is correct because the Azure Monitor Agent (AMA) is the current agent and the Log Analytics agent (MMA) is deprecated. If AMA is not installed, data may not be collected. Option A is wrong because network connectivity would cause a different error.

Option C is wrong because the agent is running. Option D is wrong because auto-provisioning is a setting, not a cause if agent is installed.

126
Multi-Selecthard

Which THREE features are part of Microsoft Defender XDR (formerly Microsoft 365 Defender) integration with Microsoft Sentinel?

Select 3 answers
A.Integration with Microsoft Defender for Cloud Apps to block downloads.
B.Integration with Microsoft Purview for data classification.
C.Automatic triggering of Microsoft 365 Defender playbooks from Sentinel.
D.Correlation of alerts into incidents across Microsoft 365 Defender sources.
E.Ingestion of advanced hunting data from Microsoft 365 Defender into Sentinel.
AnswersC, D, E

Correct: playbooks can be triggered.

Why this answer

Option C is correct because Microsoft Sentinel can automatically trigger playbooks (automated response workflows) when incidents or alerts are generated by Microsoft 365 Defender. This integration allows security teams to respond to threats across email, endpoint, and identity without manual intervention, leveraging Sentinel's orchestration capabilities.

Exam trap

The trap here is that candidates may confuse general Microsoft 365 security features (like Purview classification or Defender for Cloud Apps blocking) with the specific integration capabilities between Microsoft Defender XDR and Microsoft Sentinel, which are limited to alert ingestion, incident correlation, and automated response via playbooks.

127
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure a multi-subscription environment. You have a subscription named 'Prod' that hosts critical applications. The security team requires that any new resource group created in the Prod subscription must automatically be protected by Microsoft Defender for Cloud at the 'Defender for Servers' plan P2 level. You need to implement a solution that ensures this compliance without manual intervention. You consider using Azure Policy, Azure Blueprints, or management group settings. Which option should you choose?

A.Create an Azure Blueprint that includes the 'Defender for Servers' plan P2 assignment and assign it to the 'Prod' subscription.
B.Use Azure Resource Manager tags on resource groups to indicate 'ProtectionRequired', and configure a custom automation runbook to enable the plan.
C.Create an Azure Policy definition that deploys the 'Defender for Servers' plan P2 and assign it to the 'Prod' subscription with scope 'resource group'.
D.Use a management group structure where the 'Prod' subscription is under a 'Production' management group, and enable the 'Defender for Servers' plan P2 at the management group level.
AnswerD

Management group inheritance will automatically enable the plan for all subscriptions and resource groups within.

Why this answer

Option A is correct because management group inheritance applies to all subscriptions under that group; setting the plan at the management group level will apply to new subscriptions. Option B is wrong because Blueprints are deprecated in favor of deployment stacks and don't auto-apply to new resource groups. Option C is wrong because Azure Policy can enforce the plan but requires a policy definition that deploys the plan; however, the plan can be set at management group.

Option D is wrong because tagging does not enable defender plans.

128
MCQmedium

You are investigating a security incident in Microsoft Sentinel. A KQL query returns results indicating that a user logged in from an IP address that is not in the organization's approved list. The user's account has been compromised. You need to automatically disable the user account in Microsoft Entra ID when such an alert is triggered. What should you configure?

A.Configure an Azure Policy that disables the user account.
B.Use Microsoft Defender for Cloud to automatically disable the account.
C.Create a Power Automate flow triggered by the Sentinel alert.
D.Create a playbook in Microsoft Sentinel with a Logic Apps connector to Microsoft Entra ID.
AnswerD

Correct. Playbooks can automate response actions like disabling a user.

Why this answer

Option D is correct because Microsoft Sentinel can use automation rules with playbooks (based on Azure Logic Apps) to trigger actions like disabling a user in Microsoft Entra ID. Option A is wrong because Azure Policy cannot disable user accounts. Option B is wrong because Microsoft Defender for Cloud does not manage Entra ID user accounts.

Option C is wrong because Power Automate is not natively integrated with Sentinel for this purpose.

129
MCQmedium

A company uses Microsoft Defender for Cloud to protect its hybrid workloads. Security administrators report that critical alerts for SQL servers are not appearing in the Defender for Cloud dashboard. The SQL servers are on-premises and have Azure Arc enabled. Which configuration step should be verified first?

A.Deploy the Log Analytics agent to the SQL servers
B.Configure Azure Firewall logs for SQL traffic
C.Assign the 'Configure Azure Defender for SQL agents on virtual machines' policy
D.Enable the 'SQL servers on machines' plan in Microsoft Defender for Cloud
AnswerD

The plan for SQL servers on machines must be enabled at the subscription level to start receiving alerts for on-premises SQL servers.

Why this answer

Option B is correct because for on-premises SQL servers with Azure Arc, the SQL servers must be registered as Azure Arc-enabled SQL Server instances and the Microsoft Defender for Cloud plan for SQL servers must be enabled at the subscription level. Option A is wrong because Azure Policy can enforce but doesn't directly cause missing alerts. Option C is wrong because Log Analytics workspace is used for data collection, but the core issue is plan enablement.

Option D is wrong because Azure Firewall logs are unrelated to SQL specific alerts.

130
MCQeasy

You are configuring Microsoft Defender for Cloud to protect your Azure virtual machines. You need to enable just-in-time (JIT) VM access to reduce the attack surface. What prerequisite must be met?

A.Configure Microsoft Defender for Cloud Apps with the VMs as connected.
B.Enable the Defender for Cloud 'JIT' plan.
C.Deploy Azure Bastion in the same virtual network.
D.Enable Microsoft Defender for Servers Plan 2.
AnswerD

JIT is available only with Defender for Servers Plan 2.

Why this answer

Option C is correct because JIT VM access requires Microsoft Defender for Servers Plan 2. Option A is wrong because there is no 'JIT' plan in Defender for Cloud. Option B is wrong because Azure Bastion is a separate service for secure remote access, not a prerequisite.

Option D is wrong because Microsoft Defender for Cloud Apps is for SaaS applications, not VMs.

131
MCQmedium

A security analyst reports that a high-priority alert in Microsoft Sentinel for 'Malware detected on VM' was closed without investigation. You need to ensure that all alerts of severity High and above cannot be closed without adding a comment. What should you configure in Sentinel?

A.Modify the 'Analytics rule settings' to require a closing comment for high severity.
B.Enable UEBA (User and Entity Behavior Analytics) to track closure patterns.
C.Create an automation rule that sets the incident severity and requires a comment when closing.
D.Configure a playbook that checks for comments before closing.
AnswerA

Sentinel analytics rules have a setting to require closing comments for specified severity levels.

Why this answer

Sentinel allows setting a 'minimum severity level' for closing comments in the analytics rule settings or via automation rules. Option B is wrong because playbooks automate response, not enforce comments. Option C is wrong because watchlists are for enrichment.

Option D is wrong because user and entity analytics is for UEBA.

132
MCQmedium

What is the primary purpose of this KQL query?

A.Check for alerts that have been automatically resolved
B.Identify alerts with high false positive rates over the last 7 days
C.Correlate alerts with Microsoft Defender for Cloud incidents
D.Identify the most common alert types by severity over the last week
AnswerD

The query counts alerts by name and severity and sorts by count.

Why this answer

The query summarizes alerts by AlertName and Severity and orders by count, which helps identify the most common alerts. Option B is correct. Option A is wrong because it does not analyze trends over time.

Option C is wrong because it does not correlate with incidents. Option D is wrong because it does not check for false positives.

133
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) feature? (Choose two.)

Select 2 answers
A.Block sign-ins from anonymous IP addresses
B.Run KQL queries to find threats across multiple data sources
C.Automatically disable compromised user accounts
D.Detect anomalous behavior based on historical user activity
E.Identify users whose activities are anomalous compared to their peers
AnswersD, E

UEBA uses machine learning to detect anomalies in user behavior.

Why this answer

UEBA in Sentinel provides anomaly detection and peer comparison. Option A (anomaly detection) and Option D (peer anomaly scoring) are correct. Option B is a feature of Defender for Cloud Apps, not Sentinel UEBA.

Option C is not a UEBA feature. Option E is for hunting, not UEBA.

134
MCQhard

Your organization has multiple Azure subscriptions and uses Microsoft Defender for Cloud. You need to ensure that all subscriptions have a consistent security policy applied. You create a management group containing all subscriptions. What should you do next to assign a Defender for Cloud initiative to all subscriptions?

A.Use Azure Blueprints to define the initiative and assign it to the management group.
B.Assign the initiative as an Azure Policy at the management group scope.
C.Create a custom RBAC role that includes the initiative and assign it to the management group.
D.Assign the initiative to each subscription individually using the Defender for Cloud interface.
AnswerB

Correct: Policy assignment at management group scope applies to all subscriptions under it.

Why this answer

Option C is correct because Azure Policy can be assigned at the management group level to inherit to all child subscriptions. Option A is wrong because Defender for Cloud initiatives are not assigned per subscription manually. Option B is wrong because Azure Blueprints are deprecated.

Option D is wrong because assigning at the tenant root would apply to all tenants, not recommended.

135
Multi-Selectmedium

Your organization has enabled Microsoft Defender for Cloud on all subscriptions. You need to ensure that the security score is improved by implementing recommendations. Which TWO actions would directly improve the secure score?

Select 2 answers
A.Enable Just-In-Time VM access on all virtual machines
B.Configure email notifications for high-severity alerts
C.Remediate a high-severity recommendation for a SQL database
D.Assign a custom Azure Policy initiative
E.Enable automatic provisioning of the Log Analytics agent
AnswersC, E

Remediating recommendations improves the secure score.

Why this answer

Options A and E are correct because remediating a high-severity recommendation increases the secure score, and enabling automatic provisioning of the Log Analytics agent is a recommendation that, when implemented, increases the score. Option B is wrong because enabling Just-In-Time VM access is a security control but does not directly affect the score; it may be a recommendation, but not all controls are scored. Option C is wrong because assigning Azure Policy does not directly improve the score; the score improves when resources comply.

Option D is wrong because configuring email notifications does not affect the score.

136
MCQeasy

You need to configure Microsoft Defender for Cloud to automatically remediate misconfigurations in Azure resources. Which feature should you enable?

A.Configure security contacts to receive alert emails.
B.Enable 'Remediate' on a built-in or custom policy initiative.
C.Create a workflow automation to run a Logic App on alerts.
D.Use the regulatory compliance dashboard to enforce standards.
AnswerB

Remediation tasks auto-fix misconfigurations.

Why this answer

Option A is correct because the 'Remediate' action in a security policy initiative automatically applies remediation tasks. Option B is wrong because Workflow automation triggers notifications, not remediation. Option C is wrong because Regulatory compliance dashboard shows compliance status.

Option D is wrong because Security contacts are for alert notifications.

137
MCQmedium

Your company uses Microsoft Sentinel to monitor security events. You need to detect brute-force attacks against Azure VMs that are not yet onboarded to Sentinel. What should you do?

A.Use the Office 365 connector to collect sign-in logs.
B.Use the Windows Security Events connector via Azure Monitor Agent.
C.Use the Common Event Format connector to forward syslog.
D.Use the Azure Activity connector to collect sign-in logs.
AnswerB

This connector collects OS-level sign-in events from VMs.

Why this answer

Option C is correct because Windows and Linux VMs can be connected to Sentinel via the Azure Monitor Agent to stream security events. Option A is wrong because the connector for Azure Activity logs captures management plane events, not OS-level sign-in attempts. Option B is wrong because the Office 365 connector is for Microsoft 365 logs.

Option D is wrong because the Common Event Format connector is for on-premises appliances, not Azure VMs.

138
MCQhard

Your company uses Microsoft Defender for Cloud to protect Azure resources. You notice that some Azure VMs are not showing any security recommendations. You verify that the VMs are running and have network connectivity. What is the most likely cause?

A.The Log Analytics agent is not installed on the VMs
B.The VMs are in a resource group that lacks the required Azure RBAC role
C.The VMs have a resource lock preventing policy evaluation
D.The VMs are in the Free tier of Defender for Cloud
AnswerA

Defender for Cloud relies on the agent to collect security data for recommendations.

Why this answer

Option C is correct because if the Log Analytics agent (or Azure Monitor Agent) is not installed, Defender for Cloud cannot collect data and thus cannot generate recommendations. Option A is wrong because pricing tier affects available features but not recommendations entirely; even Free tier provides some recommendations. Option B is wrong because Defender for Cloud uses Azure Policy, not Azure RBAC, to evaluate resources.

Option D is wrong because resource locks do not prevent security assessments.

139
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Defender for Cloud's 'Security Alerts' page?

Select 2 answers
A.View the kill chain of an alert.
B.Suppress a specific alert for a defined time period.
C.Run a remediation script against the affected resource.
D.Create an automation rule to trigger a playbook.
E.Modify the security policy of the subscription.
AnswersA, B

Correct: kill chain view is available.

Why this answer

Option A is correct because you can suppress alerts. Option C is correct because you can view the kill chain. Option B (remediation script) is not a direct feature; Option D (modify policy) is done via Azure Policy; Option E (create automation) is done in Sentinel.

140
MCQmedium

Your company uses Microsoft Defender for Cloud with the default auto-provisioning configuration. A security engineer reports that critical vulnerabilities in Azure Virtual Machines are being detected but not automatically remediated. The engineer wants to enable automatic remediation for all supported findings. What should the engineer configure?

A.Configure an Azure Policy initiative with the 'Deploy if not exist' effect to automatically deploy the Log Analytics agent.
B.Enable Just-in-Time VM access for the affected virtual machines.
C.Create a Microsoft Sentinel playbook triggered by 'SecurityAlert' to run remediation commands.
D.Enable the 'Auto-provision vulnerability assessment' setting and configure an automation rule with a 'Remediate' action.
AnswerD

Correct: auto-remediation via vulnerability assessment.

Why this answer

Option B is correct because Defender for Cloud can automatically remediate vulnerabilities using a vulnerability assessment solution (like Qualys or Microsoft Defender Vulnerability Management) and an associated 'Automation' rule with a 'Remediate' action. Option A (Azure Policy 'Deploy if not exist' initiative) is used to deploy agents but not to auto-remediate findings. Option C (Just-in-Time VM access) controls network access, not vulnerability remediation.

Option D (Microsoft Sentinel playbook) can remediate but requires custom automation, not automatic out-of-the-box.

141
Multi-Selectmedium

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Uploading a CSV file manually via the Azure portal.
B.Using the Azure Activity Log connector to stream subscription-level events.
C.Using Azure Policy to assign initiatives that send compliance data to Sentinel.
D.Using the Common Event Format (CEF) connector to ingest logs from security appliances.
E.Using a Syslog connector to forward logs from on-premises firewalls.
AnswersB, D, E

Azure Activity Log connector is built-in.

Why this answer

Options A, B, and D are valid ingestion methods. Option C is wrong because Azure Policy is used for governance, not direct data ingestion. Option E is wrong because manual CSV upload is not a standard ingestion method; Sentinel uses connectors for structured data.

142
Multi-Selecteasy

Which TWO types of data can Microsoft Sentinel ingest from Microsoft Defender XDR?

Select 2 answers
A.Raw Windows event logs from endpoints.
B.Incidents from Microsoft Defender XDR.
C.Alerts from Microsoft Defender for Endpoint.
D.Azure AD sign-in logs.
E.Microsoft 365 audit logs.
AnswersB, C

Incidents are part of Defender XDR data.

Why this answer

Options A and E are correct. Defender XDR provides alerts and incidents. Option B is wrong because raw logs are not directly ingested; alerts are.

Option C is wrong because Microsoft 365 audit logs come from Microsoft Purview, not Defender XDR. Option D is wrong because Azure AD sign-in logs come from Entra ID.

143
MCQmedium

You have a Microsoft Sentinel workspace that ingests data from multiple sources, including Azure Activity, Microsoft Entra ID, and Azure Firewall. You need to create a custom analytics rule that detects when a user signs in from an IP address that has been flagged as malicious in a threat intelligence feed. You have already imported threat intelligence indicators into Sentinel using the 'Threat Intelligence - TAXII' data connector. The threat intelligence indicators are stored in the 'ThreatIntelligenceIndicator' table. Which KQL function should you use in the analytics rule to match sign-in logs against the threat indicators?

A.threat_intelligence_check_url
B.threat_intelligence_check_hash
C.ipv4_lookup
D.threat_intelligence_check_ip
AnswerD

This function matches IP addresses against threat intelligence indicators.

Why this answer

The function that matches IP addresses against threat intelligence indicators is 'threat_intelligence_check_ip'. Option C is correct. Option A is for matching URLs.

Option B is not a valid function. Option D checks for IP matches but is not specific to threat intelligence.

144
Multi-Selecthard

Which THREE are valid methods to ingest data into Microsoft Sentinel? (Select three.)

Select 3 answers
A.Microsoft Sentinel Data Collector API
B.Azure CLI
C.Common Event Format (CEF) over Syslog
D.Azure Data Factory
E.Azure Monitor Agent
AnswersA, C, E

The API allows custom log sources to send data to Sentinel.

Why this answer

Options B, C, and E are correct. Common Event Format (CEF) is a standard for log ingestion via syslog. Azure Monitor Agent can be used to collect logs from Windows and Linux machines.

The Microsoft Sentinel Data Collector API allows custom logs to be ingested. Option A is wrong because Azure CLI is a command-line tool, not a data ingestion method. Option D is wrong because Azure Data Factory is an ETL service, not a direct ingestion method for Sentinel (though it can be used indirectly).

145
MCQmedium

Refer to the exhibit. You are evaluating an Azure Policy definition that enables Defender for Cloud on a subscription. The policy uses 'DeployIfNotExists' effect. Which role must be assigned to the managed identity used by this policy to successfully deploy the pricing resource?

A.Owner
B.Reader
C.Contributor
D.Security Admin
AnswerD

Correct: Security Admin role includes permissions to write Microsoft.Security/pricings.

Why this answer

Option A is correct because to create or update Microsoft.Security/pricings resources, the managed identity needs 'Security Admin' role (which includes Microsoft.Security/pricings/write). Option B is wrong because Contributor has broader permissions but not specifically the needed security write. Option C is wrong because Reader cannot write.

Option D is wrong because Owner is too broad and not best practice.

146
MCQeasy

Refer to the exhibit. This is an excerpt from an Azure Policy assignment. What is the effect of the 'notScopes' property?

A.The policy will apply only to the VM-Sensitive virtual machine.
B.The policy will apply to all resources in RG-Prod except the entire resource group.
C.The policy will apply to all resources in RG-Prod except the VM-Sensitive virtual machine.
D.The policy will apply to the subscription but not to RG-Prod.
AnswerC

notScopes specifies resources to exclude.

Why this answer

Option C is correct because 'notScopes' excludes specific sub-scopes from the policy assignment. In this case, the policy applies to all resources in 'RG-Prod' except the VM named 'VM-Sensitive'. Option A is wrong because 'notScopes' do not add resources.

Option B is wrong because it does not remove the entire resource group. Option D is wrong because it does not affect subscription-level exclusions.

147
MCQmedium

A company uses Microsoft Defender for Cloud to protect Azure resources. The security team wants to automatically remediate certain recommendations without manual intervention. They decide to use Azure Policy to enforce secure configurations. Which feature in Defender for Cloud allows them to create policy assignments directly from the recommendation?

A.Remediate
B.View policy definition
C.Enforce
D.Quick fix
AnswerC

The Enforce button creates a policy assignment that enforces the recommendation.

Why this answer

Option C is correct because the 'Enforce' button on a recommendation allows creating a policy assignment that enforces the recommendation via Azure Policy. Option A is wrong because 'Quick fix' remediates a single resource, not enforces policy. Option B is wrong because 'Assign policy' button directly does this; 'View policy definition' only shows the definition.

Option D is wrong because 'Remediate' triggers a remediation task on existing resources, not enforcing policy on new resources.

148
Multi-Selecteasy

Which TWO of the following data connectors are available by default in Microsoft Sentinel?

Select 2 answers
A.Palo Alto Networks
B.ServiceNow
C.Microsoft Entra ID
D.Azure Activity
E.Amazon Web Services (AWS)
AnswersC, D

Microsoft Entra ID connector is included by default.

Why this answer

Options C and D are correct. Option C: Azure Activity connector is built-in. Option D: Microsoft Entra ID (formerly Azure AD) connector is also built-in.

Option A is wrong because ServiceNow connector is a premium connector. Option B is wrong because Amazon Web Services (AWS) connector is a premium connector. Option E is wrong because Palo Alto Networks connector is also premium.

149
MCQhard

A security analyst receives a Defender for Cloud alert indicating 'Malicious SQL injection attempt' on an Azure SQL Database. The analyst wants to immediately block the attacker's IP address at the network level using a just-in-time (JIT) VM access policy, but the SQL Database is not behind a VM. What should the analyst do to block the IP?

A.Create a firewall rule in Azure SQL Database's server-level firewall to deny the IP
B.Add a network rule in Azure Firewall to deny the IP
C.Create a JIT VM access policy for the SQL Database server
D.Change the SQL Database's connection policy to 'Redirect'
AnswerA

Server-level firewall rules can block specific IP addresses from accessing Azure SQL Database.

Why this answer

Option D is correct because creating a firewall rule in Azure SQL Database's server-level firewall effectively blocks the IP. Option A is wrong because JIT VM access applies only to VMs. Option B is wrong because Azure Firewall is for virtual networks, not direct SQL access.

Option C is wrong because changing the SQL Database's connection policy does not block specific IPs.

150
MCQhard

Your organization uses Microsoft Sentinel to monitor for ransomware attacks. You need to create a custom analytics rule that detects when a large number of files are encrypted within a short time window. Which KQL query should you use as the rule logic?

A.AzureActivity | where OperationName contains 'encrypt' | summarize count() by Resource
B.SecurityEvent | where EventID == 4688 | summarize count() by Computer, bin(TimeGenerated, 5m)
C.CommonSecurityLog | where DeviceEventClassID == 'ransomware' | summarize count() by DeviceName
D.FileCreationEvents | where FileName endswith '.encrypted' | summarize count() by Computer, UserName, bin(TimeGenerated, 5m)
AnswerD

FileCreationEvents logs file creations; encrypted files often have .encrypted extension.

Why this answer

Option D is correct because FileCreationEvents can capture file encryption events, and the query groups by host and user to detect a spike. Option A is wrong because SecurityEvent doesn't include file creation details. Option B is wrong because CommonSecurityLog is for firewall logs.

Option C is wrong because AzureActivity doesn't capture file-level operations.

← PreviousPage 2 of 3 · 213 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions.