CCNA Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel Questions

63 of 213 questions · Page 3/3 · Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel · Answers revealed

151
MCQeasy

You need to enable Microsoft Defender for Cloud's workload protection for Azure Kubernetes Service (AKS) clusters. Which Defender plan should you enable?

A.Enable the foundational Cloud Security Posture Management (CSPM) plan.
B.Enable Defender for SQL.
C.Enable Defender for Containers.
D.Enable Defender for Servers.
AnswerC

Defender for Containers provides threat protection for AKS clusters.

Why this answer

Option A is correct because the 'Defender for Containers' plan provides threat protection for AKS, including runtime threat detection. Option B is wrong because Defender for Cloud's foundational CSPM is free and does not provide advanced workload protection. Option C is wrong because Defender for Servers applies to VMs, not AKS.

Option D is wrong because Defender for SQL applies to databases.

152
Multi-Selecteasy

Which TWO security controls are automatically provided by enabling Microsoft Defender for Cloud's foundational CSPM (Cloud Security Posture Management) capabilities? (Choose two.)

Select 2 answers
A.Azure Firewall Manager integration.
B.Just-in-time (JIT) VM access.
C.Continuous assessment of Azure resources against the Microsoft cloud security benchmark.
D.Security recommendations for Azure resources.
E.Vulnerability assessment for VMs.
AnswersC, D

Foundational CSPM includes continuous assessment.

Why this answer

Foundational CSPM provides continuous assessment and compliance against benchmarks like Azure Security Benchmark, and security recommendations for resources. Option C is wrong because JIT is part of enhanced security, not foundational. Option D is wrong because Firewall Manager is a separate service.

Option E is wrong because vulnerability assessment requires enabling Defender plans.

153
MCQeasy

Your company has a hybrid environment with on-premises servers and Azure VMs. You want to use Microsoft Defender for Cloud to assess the security posture of both environments. What do you need to install on the on-premises servers to enable Defender for Cloud monitoring?

A.Azure Arc agent
B.Microsoft Monitoring Agent (MMA)
C.Azure Security Center agent
D.Log Analytics agent
AnswerA

Correct: Azure Arc connects on-premises servers to Azure for management and security monitoring.

Why this answer

Option A is correct because Azure Arc enables non-Azure machines to be managed by Azure and monitored by Defender for Cloud. Option B is wrong because the MMA is legacy and being replaced by Azure Monitor Agent. Option C is wrong because the Log Analytics agent is similar to MMA.

Option D is wrong because the Azure Security Center agent is not a standalone agent.

154
MCQmedium

Refer to the exhibit. You are creating a Microsoft Sentinel scheduled analytics rule using the KQL query shown. The rule is set to run every hour. What will this rule detect?

A.Successful logins from a single IP address
B.Accounts that have more than 10 failed logins from a specific IP address in the last hour
C.Total failed logins in the last 24 hours
D.Accounts with more than 10 failed logins from any IP address
AnswerB

Correct: The query groups by both Account and IpAddress and filters for >10.

Why this answer

Option D is correct because the query counts failed logins (EventID 4625) per account and IP address in the last hour, then filters for more than 10. Option A is wrong because it's about failed logins, not successful. Option B is wrong because it's per account and IP, not just per account.

Option C is wrong because it's per hour, not cumulative across days.

155
Multi-Selecthard

You are designing a Microsoft Sentinel deployment for a multinational company. The company requires that all security logs be retained for at least seven years for compliance. The solution must be cost-effective. Which THREE actions should you take?

Select 3 answers
A.Use continuous export to Azure Event Hubs for long-term storage.
B.Store logs in Azure SQL Database for seven years.
C.Configure the Log Analytics workspace retention to two years for interactive queries.
D.Use Azure Archive Storage for logs older than two years.
E.Export logs to Azure Blob Storage for long-term retention beyond two years.
AnswersC, D, E

Correct. Sentinel uses Log Analytics with up to two years interactive retention.

Why this answer

Option A, B, and E are correct. Enabling sentinel in the Log Analytics workspace allows interactive retention of up to two years. After that, you can set up Azure Blob Storage or Azure Data Lake Storage for long-term retention at lower cost.

You can also use Azure Archive Storage for even cheaper storage. Option C is wrong because continuous export to Event Hubs is for real-time streaming, not long-term retention. Option D is wrong because Azure SQL Database is expensive for log storage and not designed for this purpose.

156
Multi-Selectmedium

Which TWO are features of Microsoft Defender for Cloud's workload protection for Azure SQL databases? (Select two.)

Select 2 answers
A.File integrity monitoring (FIM)
B.Adaptive network hardening
C.Just-in-time VM access
D.Advanced threat protection (ATP)
E.Vulnerability assessment
AnswersD, E

ATP detects anomalous activities on SQL databases.

Why this answer

Options A and D are correct. Defender for SQL includes vulnerability assessment and advanced threat protection (ATP) for detecting anomalies. Option B is wrong because adaptive network hardening is for VMs, not SQL.

Option C is wrong because just-in-time VM access is for VMs. Option E is wrong because file integrity monitoring is for VMs and servers.

157
MCQeasy

Refer to the exhibit. You are assigning a built-in Azure Policy definition to a subscription using Azure CLI. The policy is 'Audit VMs that do not use managed disks'. After assignment, you check in Microsoft Defender for Cloud and see that the policy is not generating any recommendations. What is the most likely reason?

A.The policy effect is set to 'Audit', but it should be 'Deny' to generate recommendations.
B.The policy requires a managed identity to run.
C.The policy is not part of a Defender for Cloud security initiative.
D.The policy is assigned to the wrong subscription.
AnswerC

Defender for Cloud only displays recommendations for policies within its assigned initiatives.

Why this answer

Option B is correct because Defender for Cloud only shows recommendations for policies that are part of its regulatory compliance or security benchmarks. A custom or built-in policy assigned directly via Azure Policy may not appear in Defender for Cloud unless it is included in a security initiative. Option A is wrong because the policy scope is correct.

Option C is wrong because the policy effect is 'Audit', which generates compliance results. Option D is wrong because the policy assignment should work regardless of resource existence; it audits existing resources.

158
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You need to enable Advanced Threat Protection (ATP) for Azure SQL. Where should you configure this?

A.In the Azure SQL server blade under Security
B.In the Microsoft Defender for Cloud subscription settings
C.In the Azure resource group where the SQL server resides
D.In the Azure SQL database blade under Security
AnswerA

Correct: ATP for Azure SQL is configured at the server level.

Why this answer

Option C is correct because ATP for Azure SQL is enabled at the server level, not the database level. Option A is wrong because it's at server level. Option B is wrong because it's not a subscription-level setting.

Option D is wrong because it's not a resource group setting.

159
MCQmedium

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You notice that a critical recommendation 'Vulnerabilities in virtual machines should be remediated' is showing a healthy status of 0% compliance. Which action should you take first to enable vulnerability assessment for all VMs?

A.Install the Azure Monitor Agent on each VM and configure log collection.
B.Enable the 'Defender for Servers' plan P2 on the subscription.
C.Create a policy assignment to deploy the 'Configure machines to receive a vulnerability assessment provider' initiative.
D.Enable the 'Vulnerability assessment for VMs' setting in Defender for Cloud's environment settings.
AnswerD

This directly enables the integrated Qualys or Microsoft Defender vulnerability assessment solution for all VMs in the subscription.

Why this answer

Enabling the integrated Qualys or Microsoft Defender vulnerability assessment solution at the subscription level will automatically onboard all current and future VMs. Option A is wrong because manual installation is not scalable. Option B is wrong because enabling Defender for Servers plan P2 includes vulnerability assessment but may be more costly than needed.

Option D is wrong because it only addresses a subset of VMs.

160
Multi-Selecthard

Which THREE are valid Microsoft Defender for Cloud plans? (Choose three.)

Select 3 answers
A.Defender for Identity
B.Defender for Office 365
C.Defender for SQL
D.Defender for Storage
E.Defender for Servers
AnswersC, D, E

Correct: Defender for SQL is a plan in Defender for Cloud.

Why this answer

Options A, C, and E are correct. Defender for Cloud plans include Defender for Servers (A), Defender for SQL (C), and Defender for Storage (E). Option B is wrong because Defender for Office is part of Microsoft 365 Defender, not Defender for Cloud.

Option D is wrong because Defender for Identity is a separate Microsoft 365 Defender product.

161
MCQmedium

Refer to the exhibit. You are reviewing the encryption configuration of an Azure Log Analytics workspace used by Microsoft Sentinel. The configuration shows infrastructure encryption enabled and customer-managed key (CMK) from Azure Key Vault. What additional step must be taken to ensure that the CMK is used for all data?

A.Enable double encryption on Sentinel
B.Enable purge protection on the Key Vault
C.Grant the Log Analytics workspace access to the Key Vault key
D.Ensure the Key Vault is in a different region than the workspace
AnswerC

Correct: The workspace needs permissions to use the key.

Why this answer

Option C is correct because when using CMK with Log Analytics, you must grant the Log Analytics service principal (or managed identity) access to the Key Vault key. Option A is wrong because Sentinel itself does not directly use the key. Option B is wrong because the key must be in the same region as the workspace.

Option D is wrong because soft-delete must be enabled, not purge protection specifically.

162
MCQhard

You deploy the Bicep template shown in the exhibit. After deployment, you check Microsoft Sentinel and find it is not enabled. The Log Analytics workspace and Defender for Cloud pricing plan are created successfully. What is the most likely reason Sentinel is not enabled?

A.The Defender for Cloud pricing tier is set to 'Standard' but should be 'Free' for Sentinel.
B.The workspace retention is set to 90 days, but Sentinel requires at least 180 days.
C.The Log Analytics workspace SKU is set to 'PerGB2018' but Sentinel requires 'PerNode'.
D.The sentinel resource does not reference the workspace, so it is not linked.
AnswerD

Correct. The sentinel onboarding resource must be associated with the workspace.

Why this answer

Option D is correct because the sentinel resource (onboardingStates) is defined but it is not linked to the workspace resource. In Bicep, you need to create a dependency or reference the workspace ID to link Sentinel to that workspace. Without a dependency, the resources are deployed but Sentinel is not onboarded to the workspace.

Option A is wrong because the pricing tier is Standard, which is correct. Option B is wrong because the SKU is PerGB2018, which is correct. Option C is wrong because retention is 90 days, which is allowed.

163
Multi-Selecteasy

Which TWO of the following are valid data connectors in Microsoft Sentinel?

Select 2 answers
A.Microsoft SQL Server
B.Google Cloud Platform
C.VMware vCenter
D.Azure Active Directory (Microsoft Entra ID)
E.Amazon Web Services S3
AnswersD, E

Entra ID connector is built-in.

Why this answer

Options A and D are correct. Option A is correct because Amazon Web Services S3 connector is available. Option D is correct because Azure Active Directory (now Microsoft Entra ID) connector is available.

Option B is wrong because there is no direct connector for Google Cloud Platform; it requires a custom solution. Option C is wrong because Microsoft SQL Server connector does not exist directly; it uses Windows Event Forwarding. Option E is wrong because VMware vCenter connector is not a built-in connector.

164
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Defender for Cloud's security alerts? (Choose two.)

Select 2 answers
A.Directly modify the affected Azure resource's configuration from the alert.
B.Export alerts to a third-party SIEM using continuous export.
C.Change the severity of an alert after it is generated.
D.Create suppression rules to automatically dismiss alerts that meet specific criteria.
E.Trigger a logic app playbook automatically when an alert is generated.
AnswersD, E

Suppression rules allow you to suppress alerts based on conditions.

Why this answer

Options A and B are correct. Defender for Cloud alerts support suppression rules and automated response via playbooks. Option C is wrong because Defender for Cloud does not directly modify resources; it triggers actions via playbooks.

Option D is wrong because alerts can be dismissed. Option E is wrong because alert severity is set by Defender for Cloud, not by users.

165
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Defender for Cloud's regulatory compliance dashboard? (Select two.)

Select 2 answers
A.Create custom regulatory compliance recommendations.
B.Automatically remediate non-compliant resources.
C.View the compliance status for built-in standards like SOC 2 or PCI DSS.
D.Assign a compliance standard (e.g., SOC 2) to a subscription.
E.Enable or disable Microsoft Defender plans for a subscription.
AnswersC, D

The dashboard shows compliance status for assigned standards.

Why this answer

Options B and D are correct. The regulatory compliance dashboard allows you to assign compliance standards to subscriptions and view compliance status for built-in standards like SOC 2. Option A is wrong because automating remediation is done via Azure Policy, not the dashboard.

Option C is wrong because enabling Defender plans is done in the Environment settings. Option E is wrong because custom recommendations are created via Azure Policy or custom initiatives.

166
Multi-Selecthard

Which THREE components are required to enable Microsoft Defender for Cloud's just-in-time (JIT) VM access?

Select 3 answers
A.Azure Bastion configured for the virtual network.
B.A network security group (NSG) associated with the VM's subnet or NIC.
C.Azure Firewall deployed in the same region.
D.A Log Analytics workspace connected to the VM.
E.A virtual machine with a public IP address.
AnswersB, D, E

JIT modifies NSG rules.

Why this answer

Options A, B, and D are correct. JIT requires a Log Analytics workspace for policy, a VM with a public IP, and the network security group (NSG) must be associated. Option C is wrong because Azure Bastion is an alternative to JIT but not required.

Option E is wrong because Azure Firewall is not needed.

167
MCQmedium

An organization uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that several VMs are not receiving vulnerability assessment findings, even though they are in a scope where the integrated Qualys VA solution is enabled. What should they verify first?

A.The VM does not have the Log Analytics agent installed.
B.The VM is in a resource group that is excluded from the vulnerability assessment solution.
C.The VM is behind a network security group that blocks outbound traffic.
D.The VM does not have a valid Qualys license.
AnswerA

The agent is required for the Qualys extension to report findings.

Why this answer

Option B is correct because if the VM does not have the Log Analytics agent (or Azure Monitor Agent) installed, the Qualys extension cannot communicate findings. Option A is wrong because the vulnerability assessment solution is deployed at the subscription level, not per VM. Option C is wrong because the Qualys solution is included with Defender for Servers P2; no separate license is needed.

Option D is wrong because network security groups are not the primary reason for missing findings; the agent is required.

168
MCQmedium

You are configuring Microsoft Defender for Cloud's regulatory compliance dashboard. Your organization must comply with SOC 2. You have enabled the SOC 2 regulatory compliance standard. After a week, some controls show as 'Unhealthy'. What is the most likely reason for the 'Unhealthy' status?

A.The standard is not fully enabled for all subscriptions.
B.The SOC 2 standard is not supported by Defender for Cloud.
C.You need to manually attest to the controls to mark them as healthy.
D.The underlying Azure Policy initiatives have resources that are non-compliant.
AnswerD

Correct: Regulatory compliance uses Azure Policy to assess resources; non-compliance results in 'Unhealthy'.

Why this answer

Option B is correct because 'Unhealthy' in regulatory compliance means that the corresponding Azure Policy assessments have failed. Option A is wrong because if no resources were assessed, it would be 'Not registered'. Option C is wrong because the standard is enabled.

Option D is wrong because the dashboard does not require manual attestation for SOC 2.

169
MCQeasy

Your company uses Microsoft Defender for Cloud's 'Vulnerability Assessment' solution for Azure VMs. You have enabled the 'Microsoft Defender for Servers' plan and deployed the integrated Qualys agent. You need to view the vulnerability assessment findings for all VMs in a single dashboard in Microsoft Defender for Cloud. Which blade in the Defender for Cloud portal should you navigate to?

A.Inventory
B.Security alerts
C.Regulatory compliance
D.Recommendations
AnswerD

Vulnerability assessment findings appear as recommendations under 'Remediate vulnerabilities'.

Why this answer

The 'Security alerts' blade shows security alerts, not vulnerability findings. The 'Recommendations' blade includes vulnerability assessment findings. Option B is correct.

Option A is for alerts. Option C is for inventory. Option D is for regulatory compliance.

170
Multi-Selectmedium

Which TWO actions should you take to integrate on-premises servers with Microsoft Defender for Cloud for unified security management? (Choose two.)

Select 2 answers
A.Install the Log Analytics agent on each server.
B.Migrate the servers to Azure Stack HCI.
C.Enroll the servers in Microsoft Intune.
D.Deploy the Azure Connected Machine agent (Azure Arc) on each server.
E.Establish a site-to-site VPN connection to Azure.
AnswersA, D

The agent sends security data to Defender for Cloud.

Why this answer

Deploying Azure Arc on on-premises servers allows them to be managed by Defender for Cloud. Installing the Log Analytics agent enables data collection. Option C is wrong because VPN is not required.

Option D is wrong because Azure Stack HCI is for hyperconverged infrastructure, not general servers. Option E is wrong because Microsoft Endpoint Manager is for device management.

171
MCQeasy

Your organization uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions have the 'Auto-provisioning' extension enabled for Log Analytics agent on new VMs. What should you configure?

A.Configure Azure Automation State Configuration to push the agent.
B.Set up data connectors in Microsoft Sentinel.
C.Enable 'Auto-provisioning' in Defender for Cloud's environment settings.
D.Create an Azure Policy assignment to deploy the Log Analytics agent.
AnswerC

Correct. Auto-provisioning automatically installs the Log Analytics agent on new VMs.

Why this answer

Option A is correct because Auto-provisioning settings in Defender for Cloud allow you to automatically deploy the Log Analytics agent to new VMs. Option B is wrong because Azure Policy can be used but is not the direct setting for auto-provisioning in Defender for Cloud. Option C is wrong because Azure Automation State Configuration is not used for this purpose.

Option D is wrong because Microsoft Sentinel is a SIEM, not a configuration tool for agent deployment.

172
MCQeasy

A security analyst needs to view all incidents generated by Microsoft Defender for Cloud across multiple subscriptions in a single pane of glass. What should they use?

A.Azure Monitor
B.Azure Security Center
C.Microsoft Sentinel
D.Microsoft Defender for Cloud
AnswerD

It provides a unified view of alerts and incidents across subscriptions.

Why this answer

Option B is correct because Microsoft Defender for Cloud provides a unified dashboard that aggregates security alerts and incidents from all subscriptions in the tenant. Option A is wrong because Azure Security Center has been replaced by Defender for Cloud. Option C is wrong because Azure Monitor alerts are separate from Defender for Cloud incidents.

Option D is wrong because Microsoft Sentinel can ingest Defender for Cloud alerts but is not required for a unified view.

173
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure workloads. You notice that a critical Azure VM is not covered by any of the Defender for Cloud plans. You need to ensure that the VM is protected by the Defender for Servers plan. What should you do?

A.Create a custom Azure Policy to assign the Defender for Servers plan to the VM.
B.Enable the Defender for Servers plan in the Defender for Cloud environment settings for the subscription containing the VM.
C.Enable the Defender for Servers plan directly on the VM's security configuration blade.
D.Ensure the VM is running a supported operating system; the plan is automatically enabled for all VMs.
AnswerB

Correct: Enabling the plan at the subscription level protects all VMs in that subscription.

Why this answer

Option A is correct because to enable Defender for Servers on a specific subscription, you configure the Defender for Cloud environment settings at the subscription level. Option B is wrong because enabling on the VM itself is not directly supported; the plan must be enabled at the subscription or resource group level. Option C is wrong because the plan covers supported OS types.

Option D is wrong because the plan covers Azure VMs, not just on-premises.

174
MCQhard

You are a security engineer for Contoso Ltd. The company has a hybrid environment with Azure VMs and on-premises servers running Windows Server 2022. You have enabled Microsoft Defender for Cloud's multi-cloud posture management for AWS and GCP. Recently, you deployed Microsoft Sentinel in a Log Analytics workspace named 'ContosoWorkspace'. The security team needs to centralize security alerts from all sources: Azure, on-premises, AWS, and GCP. They also require automated investigation and response for common threats. Specifically, they want to automatically disable a compromised user account when a high-severity alert is generated. You have configured data connectors for Azure Activity, Microsoft Entra ID, and AWS CloudTrail. For on-premises servers, you installed the Azure Monitor Agent (AMA) and enabled Defender for Cloud's plan for servers. For GCP, you are using the GCP Security Command Center connector. The team needs to create a playbook that runs when a high-severity alert from any source is triggered. The playbook should disable the user account in Microsoft Entra ID. You have created a playbook using Azure Logic Apps and granted it the necessary permissions. Which step should you take to ensure the playbook runs automatically when alerts are generated?

A.Create an automation rule in Microsoft Sentinel that triggers the playbook when a high-severity alert is created.
B.Create an automation rule in Microsoft Defender for Cloud that triggers the playbook when a high-severity alert is generated.
C.Create an analytics rule in Microsoft Sentinel that triggers the playbook when a high-severity alert is created.
D.Configure the Logic App to run on a schedule and query Sentinel for high-severity alerts.
AnswerA

Automation rules in Sentinel can trigger playbooks based on alert creation.

Why this answer

To run a playbook automatically in response to alerts, you need to create an automation rule in Microsoft Sentinel that triggers the playbook when an alert is generated. Option B is correct. Option A is incorrect because analytics rules are for generating alerts, not for response.

Option C is incorrect because playbooks are not created in Defender for Cloud. Option D is incorrect because the Logic App itself does not trigger on alerts without an automation rule.

175
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns a list of IP addresses that have attempted to sign in more than 10 times in the last day. You notice that the query does not filter out successful sign-ins. You need to modify the query to count only failed sign-in attempts. What should you add?

A.Add '| where Status == "Failure"' before the summarize
B.Add '| where Result == "Failure"' before the summarize
C.Add '| where ResultType == "0"' before the summarize
D.Add '| where ResultType != "0"' before the summarize
AnswerD

This excludes successful sign-ins (ResultType == "0").

Why this answer

Option C is correct because filtering by ResultType != "0" excludes successful sign-ins (ResultType == "0"). Option A is wrong because ResultType == "0" only includes successful sign-ins. Option B is wrong because Status is not a column; the correct column is ResultType.

Option D is wrong because the column is ResultType, not Result.

176
MCQmedium

Your company uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team receives an alert about a critical vulnerability in an Azure VM that was remediated two weeks ago. What is the most likely reason the alert is still active?

A.The VM has not been rescanned after the remediation was applied.
B.The alert is a false positive due to a known issue in the vulnerability assessment engine.
C.The alert has a 30-day retention period and cannot be dismissed before that.
D.Silent Remediation was enabled, preventing the alert from being dismissed.
AnswerA

Defender for Cloud alerts are based on the last vulnerability scan; a new scan is needed to clear the alert.

Why this answer

Option C is correct because Defender for Cloud alerts are based on the latest vulnerability assessment scans; if the VM hasn't been rescanned since remediation, the alert remains. Option A is wrong because default policies don't suppress alerts. Option B is wrong because Silent Remediation suppresses alerts after remediation.

Option D is wrong because alerts are not automatically dismissed after a time period.

177
MCQhard

Your organization uses Microsoft Sentinel to manage security incidents. You need to configure automated response to block a user account when a high-severity incident is triggered. The response should be automatically executed when the incident is created. What should you create?

A.An analytics rule
B.A playbook
C.An automation rule that triggers a playbook
D.A workbook
AnswerC

Automation rules can automatically run playbooks when incidents are created.

Why this answer

Option C is correct because an automation rule in Microsoft Sentinel can trigger a playbook when an incident is created. Option A is wrong because a playbook alone does not automatically trigger on incident creation; it needs an automation rule. Option B is wrong because analytics rules generate alerts, not automated responses.

Option D is wrong because a workbook is a visualization tool.

178
MCQmedium

You are configuring Microsoft Sentinel to detect a new type of ransomware that encrypts files and changes file extensions. You need to create a detection rule that generates an incident when the same pattern of file changes occurs on multiple hosts within a short time. Which rule type should you use?

A.Microsoft Security incident creation rule (ML behavior analytics).
B.Scheduled query rule.
C.Fusion rule (advanced multistage attack detection).
D.NRT (Near-Real-Time) query rule.
AnswerD

NRT rules run every minute and can correlate events across multiple hosts in near real-time.

Why this answer

NRT rules run queries every minute with near real-time latency and can correlate events across multiple hosts. Option A is wrong because scheduled rules run on a schedule and may miss correlation. Option C is wrong because ML behavior analytics is for UEBA.

Option D is wrong because Fusion is for multi-stage attacks.

179
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select three.)

Select 3 answers
A.Continuous assessment of security configurations.
B.Secure score tracking and improvement.
C.Just-in-time (JIT) VM access.
D.Security recommendations based on the Microsoft Cloud Security Benchmark.
E.File Integrity Monitoring (FIM).
AnswersA, B, D

CSPM continuously scans for misconfigurations.

Why this answer

Options B, C, and D are correct. CSPM provides security recommendations, continuous assessment, and a secure score. Option A is wrong because file integrity monitoring is part of Defender for Servers, not CSPM.

Option E is wrong because JIT VM access is part of Defender for Servers Plan 2.

180
MCQmedium

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). You need to collect sign-in logs and audit logs. Which data connector should you enable?

A.Azure AD Identity Protection
B.Office 365
C.Azure AD Authentication
D.Azure Active Directory (now Microsoft Entra ID)
AnswerD

This connector ingests sign-in logs and audit logs from Azure AD.

Why this answer

Option A is correct because the 'Azure Active Directory' data connector is specifically designed to ingest both sign-in logs and audit logs. Option B is wrong because the Azure AD Identity Protection connector only brings in risky user and sign-in events, not full audit logs. Option C is wrong because the Office 365 connector brings in Exchange, SharePoint, and Teams logs, not Azure AD logs.

Option D is wrong because the Azure AD Authentication connector is not a standard Microsoft Sentinel data connector.

181
MCQhard

Your organization has Microsoft Sentinel deployed in the East US region. You need to ensure that security logs are retained for 2 years to meet compliance requirements. The workspace retention policy is set to 90 days. What should you do?

A.Configure data retention for the specific tables that need long-term retention
B.Change the workspace retention setting to 730 days
C.Use Azure Policy to enforce retention on the Log Analytics workspace
D.Export logs to an Azure Storage account and set a lifecycle management policy
AnswerA

Table-level retention allows setting different retention periods per table, up to 2 years.

Why this answer

Option A is correct because you can configure data retention for specific tables up to 2 years using the Azure portal or API. Option B is wrong because archiving to a storage account would require additional configuration and is not a direct retention setting. Option C is wrong because changing the workspace retention policy to 2 years is possible but may incur high costs; however, it is a valid option.

But the question implies a cost-effective solution: table-level retention. Option A is more precise. Option D is wrong because Azure Policy does not change retention settings.

182
MCQhard

You are responsible for securing Azure resources using Microsoft Defender for Cloud. You receive a recommendation that your Azure Kubernetes Service (AKS) cluster has a vulnerability in a container image. The recommendation is labeled 'Container images should be scanned for vulnerabilities'. What action should you take to remediate this recommendation?

A.Enable the 'Vulnerability assessment solutions should be enabled on your VMs' recommendation.
B.Rebuild the container image using an updated base image and redeploy.
C.Enable Microsoft Defender for Cloud Apps for the AKS cluster.
D.Disable the vulnerability scanner for that repository.
AnswerB

This fixes the vulnerability by using a patched image.

Why this answer

Option A is correct because the recommendation indicates vulnerabilities found by Defender for Containers. Remediation involves updating the base image and rebuilding the container. Option B is wrong because turning off the scanner does not fix the vulnerability.

Option C is wrong because the recommendation is not about Defender for Cloud Apps. Option D is wrong because the recommendation is already enabled; you need to fix the image.

183
MCQmedium

You are a security engineer for a company that uses Microsoft Defender for Cloud. You need to ensure that all Azure subscriptions are continuously assessed against the Microsoft cloud security benchmark (MCSB). The solution must automatically assign compliance standards to new subscriptions. What should you do?

A.Assign the MCSB standard to the management group that contains all subscriptions.
B.Enable the 'Foundational CSPM' plan in Defender for Cloud at the management group scope.
C.Assign the MCSB standard to each subscription individually using the Defender for Cloud regulatory compliance dashboard.
D.Create an Azure Policy initiative that enforces MCSB and assign it to the root management group.
AnswerA

Assigning at the management group scope automatically applies to all current and future subscriptions under that group.

Why this answer

Option D is correct because Microsoft Defender for Cloud allows you to assign regulatory compliance standards, including MCSB, at the management group level, which automatically applies to all subscriptions under that group. Option A is wrong because Azure Policy can enforce standards, but the question specifically asks about MCSB in Defender for Cloud. Option B is wrong because assigning at the subscription level does not cover new subscriptions automatically.

Option C is wrong because Defender for Cloud plans enable features but do not assign compliance standards.

184
MCQeasy

Your company has multiple Azure subscriptions. You need to centralize security alerts and incidents in a single dashboard for the security operations center (SOC) team. The solution should provide advanced analytics and threat detection. Which service should you use?

A.Azure Monitor
B.Microsoft Sentinel
C.Microsoft 365 Defender
D.Microsoft Defender for Cloud
AnswerB

Correct. Sentinel is a SIEM that centralizes alerts and provides advanced analytics.

Why this answer

Option C is correct because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that centralizes security data and provides advanced analytics. Option A is wrong because Azure Monitor is for monitoring, not SIEM. Option B is wrong because Microsoft Defender for Cloud provides security posture management and threat detection but does not centralize alerts from multiple sources as a SIEM.

Option D is wrong because Microsoft 365 Defender is for Microsoft 365 security, not multi-subscription Azure alerts.

185
MCQmedium

Your security team detects a series of failed sign-ins from multiple IP addresses for a privileged user account in Microsoft Entra ID. You need to automatically create an incident in Microsoft Sentinel and block the user account. What should you configure?

A.Create a playbook in Microsoft Sentinel that triggers on the sign-in logs
B.Use Microsoft Entra ID Protection to automatically remediate risk
C.Configure automated investigation and remediation in Microsoft Defender XDR
D.Set up a detection rule in Microsoft Sentinel that sends an email to security admins
AnswerC

Defender XDR can automatically block accounts based on alerts.

Why this answer

Option B is correct because Microsoft Defender XDR provides automated investigation and remediation. Option A is wrong because a playbook can create incidents but not automatically block. Option C is wrong because Azure AD Identity Protection only provides risk detection.

Option D is wrong because a detection rule triggers alerts but not automated response.

186
Multi-Selectmedium

Which TWO of the following are valid data sources for Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select two.)

Select 2 answers
A.Microsoft Entra ID sign-in logs.
B.Microsoft Entra ID audit logs.
C.Azure SQL Database audit logs.
D.Azure Activity Logs.
E.Azure Firewall logs.
AnswersA, B

UEBA uses sign-in logs for user behavior.

Why this answer

Options A and D are correct. Azure Active Directory (now Microsoft Entra ID) sign-in logs and audit logs are key sources for UEBA. Option B is wrong because Azure Activity Logs are for resource operations, not user behavior.

Option C is wrong because Azure SQL Database audit logs are not a default source for UEBA. Option E is wrong because Azure Firewall logs are network logs, not user behavior.

187
Multi-Selecthard

You are configuring Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The cluster runs sensitive workloads. You need to enable threat detection and vulnerability assessment for the AKS environment. Which THREE of the following should you enable?

Select 3 answers
A.Microsoft Defender for Containers plan
B.Microsoft Defender for Servers plan
C.Vulnerability assessment for container images in Defender for Cloud
D.Continuous export of security alerts to Log Analytics
E.Azure Policy add-on for AKS
AnswersA, C, D

This plan provides threat detection for AKS clusters.

Why this answer

Option A (Defender for Containers) is the correct plan for AKS threat detection. Option B (Defender for Servers) is for VMs, not containers. Option C (Microsoft Defender for Cloud's vulnerability assessment for container images) is part of Defender for Containers.

Option D (Azure Policy add-on for AKS) enables policy enforcement but is not threat detection. Option E (Microsoft Defender for Cloud's continuous export) is for exporting alerts, not detection.

188
Multi-Selecteasy

Your organization wants to use Microsoft Sentinel to detect and respond to threats. You need to ensure that Sentinel can ingest data from Azure Firewall logs. Which three components are required? (Choose three.)

Select 3 answers
A.Enable diagnostic logs on Azure Firewall.
B.A Log Analytics workspace.
C.Assign an Azure Policy to enforce diagnostic logs on all firewalls.
D.Install the Log Analytics agent on the Azure Firewall.
E.The Azure Firewall data connector in Sentinel.
AnswersA, B, E

Diagnostic settings stream logs to a workspace.

Why this answer

Options A, D, and E are correct. Option A is correct because Azure Firewall must have diagnostic logs enabled. Option D is correct because a Log Analytics workspace is needed to store the logs.

Option E is correct because the Azure Firewall data connector in Sentinel pulls the logs. Option B is wrong because the Log Analytics agent is not used for Azure Firewall; it uses diagnostic settings. Option C is wrong because Azure Policy is not required for ingestion.

189
MCQmedium

Your security team receives an alert from Microsoft Defender for Cloud indicating 'Suspicious PowerShell script detected' on a virtual machine. The VM is running a critical application, and you need to investigate without disrupting the service. Which action should you take first?

A.Disconnect the VM from the virtual network.
B.Take a VM snapshot and analyze it offline.
C.Restart the VM to clear any malicious processes.
D.Initiate a live response session from Microsoft Defender for Cloud.
AnswerD

Live response allows investigation without VM disruption.

Why this answer

Option B is correct because live response allows you to collect forensic data and investigate the VM without shutting it down. Option A is wrong because disconnecting the VM from the network might disrupt the application. Option C is wrong because taking a snapshot is forensic but doesn't allow live investigation.

Option D is wrong because restarting the VM could destroy volatile data and disrupt service.

190
MCQeasy

A company uses Microsoft Sentinel to centralize security logs. They need to ensure that incidents from Microsoft Defender XDR are synchronized into Sentinel. Which data connector should they enable?

A.Office 365 connector
B.Windows Security Events connector
C.Microsoft Defender XDR connector
D.Azure Activity connector
AnswerC

This connector synchronizes incidents and alerts from Defender XDR.

Why this answer

Option B is correct because the Microsoft Defender XDR connector ingests incidents and alerts from Defender XDR into Sentinel. Option A is wrong because the Office 365 connector is for Office logs. Option C is wrong because the Azure Activity connector is for Azure resource logs.

Option D is wrong because the Windows Security Events connector is for Windows events.

191
MCQmedium

You are configuring Microsoft Defender for Cloud's continuous export feature. You need to export security alerts and recommendations to a Log Analytics workspace for long-term retention and custom analysis. The export should include only high-severity alerts and recommendations. What should you do?

A.Set up Microsoft Sentinel to ingest Defender for Cloud alerts and then export to the workspace.
B.Enable continuous export in Defender for Cloud and select high-severity alerts and recommendations.
C.Configure diagnostic settings on each Azure resource to send logs to the workspace.
D.Use Azure Event Hubs to stream security alerts to the workspace.
AnswerB

Correct. Continuous export allows filtering by severity and exports to Log Analytics.

Why this answer

Option C is correct because continuous export allows you to export alerts and recommendations to a Log Analytics workspace, and you can filter by severity using the export settings. Option A is wrong because diagnostic settings on individual resources would be inefficient and not filter by severity globally. Option B is wrong because Azure Event Hubs is for streaming, not Log Analytics.

Option D is wrong because Microsoft Sentinel is not needed for this export.

192
MCQmedium

A security administrator needs to enable just-in-time (JIT) VM access for all Azure VMs in a subscription using Microsoft Defender for Cloud. What are the minimum permissions required to enable JIT on the VMs?

A.Security Admin on the subscription
B.Contributor on the subscription
C.Reader on the subscription
D.Owner on the subscription
AnswerA

Security Admin can enable JIT and manage security policies.

Why this answer

Option B is correct because the Security Admin role can manage security policies and enable JIT. Option A is wrong because Contributor can manage VMs but not security policies. Option C is wrong because Reader cannot make changes.

Option D is wrong because Owner has more permissions than needed, but the question asks for minimum.

193
MCQeasy

You need to ensure that all Azure subscriptions in your tenant are automatically assessed for security misconfigurations and compliance against Microsoft cloud security benchmark. What should you configure?

A.Deploy Microsoft Sentinel with automatic data connectors
B.Assign an initiative via Azure Policy to all subscriptions
C.Enable continuous export in Microsoft Defender for Cloud
D.Create a blueprint definition and assign it to management group
AnswerC

Continuous export in Defender for Cloud automatically assesses all subscriptions.

Why this answer

The correct answer is A. Microsoft Defender for Cloud's continuous export feature automatically assesses all subscriptions for security misconfigurations and compliance. Option B is wrong because Azure Policy initiative assignment is used for compliance but not continuous assessment.

Option C is wrong because Azure Blueprints are deprecated. Option D is wrong because Microsoft Sentinel is for SIEM, not continuous assessment.

194
MCQeasy

Your organization wants to use Microsoft Sentinel to automatically respond to high-severity incidents. Which feature should you configure?

A.Create an analytics rule with a high severity.
B.Create an automation rule that triggers a playbook on incident creation.
C.Create a workbook to visualize incidents.
D.Enable entity behavior analytics.
AnswerB

Automation rules can automatically respond to incidents.

Why this answer

Option B is correct because automation rules in Sentinel can trigger playbooks or other responses automatically based on incident conditions. Option A is wrong because analytic rules generate alerts, not automated responses. Option C is wrong because workbooks are for visualization.

Option D is wrong because entity behavior analytics is for detection, not response.

195
MCQhard

Refer to the exhibit. You assign this built-in policy to a resource group containing Linux VMs. The policy is intended to deploy the Log Analytics agent if it is missing. After the assignment, you notice that the policy does not evaluate any VMs and the compliance state is 'Not started'. What is the most likely reason?

A.The policy parameter 'workspaceId' is not provided during assignment.
B.Built-in policies cannot be assigned directly to a resource group; they must be assigned to a management group.
C.The policy mode 'Indexed' requires a remediation task to be created; the policy only evaluates resources when a remediation task is triggered.
D.The Log Analytics agent is already installed on all VMs.
AnswerC

'DeployIfNotExists' policies with 'Indexed' mode require a remediation task to evaluate and deploy.

Why this answer

Option C is correct because the policy mode is 'Indexed', which only evaluates resource types that support tags and location; virtual machines are indexed, but the policy might not trigger if the assignment scope is not a management group or subscription. Option A is wrong because the parameter is required. Option B is wrong because the agent is not installed, but the policy should evaluate.

Option D is wrong because built-in policies can be assigned.

196
MCQeasy

Your company wants to use Microsoft Defender for Cloud's just-in-time (JIT) VM access to reduce the attack surface. You have enabled JIT for a set of VMs. A security administrator reports that they cannot connect via RDP even after requesting access. What is the most likely cause?

A.The JIT policy is set at the subscription level and does not apply to individual VMs.
B.The administrator's source IP address is not in the allowed list for the JIT policy.
C.The VM is not located in a region that supports JIT.
D.The VM does not have the Azure VM agent installed.
AnswerB

JIT restricts access to specific IP ranges.

Why this answer

Option A is correct because JIT only opens ports for approved source IPs; if the administrator's IP is not approved, access is denied. Option B is wrong because JIT does not require the VM to be in a specific location. Option C is wrong because the JIT policy can be set per VM.

Option D is wrong because the VM agent is used for other purposes, not JIT approval.

197
MCQeasy

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. Which data source should you use?

A.Azure Activity Logs
B.Microsoft Entra ID Sign-in Logs
C.Azure AD Audit Logs
D.Microsoft 365 Defender Alerts
AnswerB

Sign-in logs include location data for detecting unfamiliar sign-ins.

Why this answer

Option B is correct because Microsoft Entra ID (formerly Azure AD) sign-in logs contain location information and are commonly used for unfamiliar sign-in detection. Option A is wrong because Azure Activity logs record resource operations, not sign-ins. Option C is wrong because Azure AD audit logs track changes, not sign-ins.

Option D is wrong because Microsoft 365 Defender alerts are not sign-in logs.

198
Multi-Selectmedium

Which TWO of the following are valid methods to ingest data into Microsoft Sentinel? (Select two.)

Select 2 answers
A.Using the Log Analytics agent to send custom logs.
B.Using the Azure PowerShell cmdlets to send events directly.
C.Using Power BI to stream data.
D.Using Azure Policy to forward logs.
E.Using a data connector from the content hub.
AnswersA, E

Custom logs can be ingested via the Log Analytics agent.

Why this answer

Options B and D are correct. A connector is the standard way to ingest data from various sources. Custom logs using Log Analytics agents is also a valid method.

Option A is wrong because PowerShell cmdlets do not directly ingest data into Sentinel. Option C is wrong because Azure Policy can enforce compliance but not ingest data. Option E is wrong because Power BI is a visualization tool, not data ingestion.

199
MCQhard

Your organization uses Microsoft Sentinel to detect threats across multiple Azure subscriptions. Security analysts need to query threat intelligence data from Microsoft Defender Threat Intelligence (MDTI) directly within Sentinel. However, analysts report that MDTI indicators are not appearing in ThreatIntelligenceIndicator table. What is the most likely cause?

A.The MDTI data connector is not enabled in Microsoft Sentinel.
B.The Sentinel workspace is located in a region where MDTI is not supported.
C.The subscriptions are not onboarded to Microsoft Defender for Cloud.
D.The Sentinel workspace is not using Azure Lighthouse for cross-subscription management.
AnswerA

Correct: missing connector prevents indicator ingestion.

Why this answer

Option C is correct because MDTI data connectors must be enabled in Microsoft Sentinel, and if not, indicators will not populate the table. Option A (Azure Lighthouse) is unrelated. Option B (data connector disabled) is the correct reason but option C is more specific; however, among the choices, C is the most accurate as the connector must be enabled.

Option D (subscription not onboarded to Defender for Cloud) does not affect Sentinel's threat intelligence.

200
MCQhard

You receive a Microsoft Defender for Cloud recommendation: 'Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters'. The recommendation is marked as 'Unhealthy' for your AKS cluster. However, you have already installed the Azure Policy add-on. What is the most likely cause?

A.A custom Azure Policy initiative overrides the built-in one.
B.The cluster's network policy is blocking the add-on's webhook.
C.The AKS cluster does not have the 'azurepolicy' namespace.
D.The Microsoft Defender for Cloud agent is not installed on the cluster.
AnswerC

Missing namespace indicates the add-on is not correctly installed.

Why this answer

Option B is correct because if the AKS cluster does not have the 'azurepolicy' namespace, the add-on is not properly installed or the cluster was created without it. Option A is wrong because the add-on is for Azure Policy, not Defender. Option C is wrong because a custom policy might override but would not cause this specific recommendation.

Option D is wrong because the recommendation is about installation, not configuration.

201
MCQhard

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You receive a recommendation that 'SQL databases should have vulnerability findings resolved'. You run a vulnerability assessment scan and find a high-severity finding about a missing firewall rule. How should you resolve this finding?

A.Change the SQL database auditing settings to capture all events.
B.Add a firewall rule to the SQL server allowing traffic from the required IP addresses.
C.Enable Advanced Threat Protection for Azure SQL Database.
D.Enable the 'Defender for SQL' plan on the server.
AnswerB

The finding indicates a missing firewall rule; adding it resolves the vulnerability.

Why this answer

The vulnerability assessment identifies configuration issues like missing firewall rules. The correct action is to add a firewall rule to allow only necessary IP ranges. Option A is wrong because enabling Defender for Cloud does not fix existing findings.

Option B is wrong because changing audit settings does not affect firewall. Option C is wrong because enabling Advanced Threat Protection does not resolve vulnerability findings.

202
Multi-Selecthard

Which TWO of the following are valid methods to connect on-premises syslog data to Microsoft Sentinel?

Select 2 answers
A.Use Azure Event Hubs to stream syslog data
B.Configure Azure Policy to collect syslog from on-premises servers
C.Deploy Azure Arc and enable the Log Analytics extension
D.Use the Azure Monitor Agent (AMA) with a data collection rule for syslog
E.Install the Log Analytics agent on a Linux syslog server
AnswersD, E

AMA is the current recommended agent for syslog collection.

Why this answer

Options A and C are correct. Option A: The Log Analytics agent (legacy) can forward syslog to Sentinel. Option C: The Azure Monitor Agent (AMA) with syslog data collection rules is the current recommended method.

Option B is wrong because Event Hubs are used for CEF or custom logs, not raw syslog. Option D is wrong because Azure Policy does not collect logs. Option E is wrong because Azure Arc enables management but not directly syslog ingestion.

203
MCQeasy

Your company uses Microsoft Defender for Cloud's regulatory compliance dashboard to track compliance with the PCI DSS standard. You have enabled the PCI DSS initiative on the management group. The dashboard shows that some controls are 'Not started' even though you have implemented the required security configurations. You suspect that the assessment might not be running correctly. You need to ensure that the compliance assessments are triggered for all resources. The environment consists of: - 3 subscriptions under a management group. - All subscriptions have Defender for Cloud enabled with the CSPM plan. - The PCI DSS initiative was assigned at the management group level. - Some resources are in regions that do not support certain policy effects. What is the most likely reason for the 'Not started' status?

A.The compliance dashboard only displays results if you manually run an assessment.
B.The PCI DSS initiative must be assigned to each subscription individually.
C.The Defender Cloud Security Posture Management (CSPM) plan is not enabled on all subscriptions.
D.Some policies in the PCI DSS initiative use effects that are not supported in certain regions, causing the assessment to not run.
AnswerD

Policy effects like 'DeployIfNotExists' may not be supported in all regions, leading to 'Not started'.

Why this answer

Option C is correct because the built-in PCI DSS initiative includes policies that may have effects not supported in all regions, causing assessment failures. Option A is wrong because the CSPM plan is already enabled. Option B is wrong because the initiative at management group should assess all subscriptions.

Option D is wrong because the compliance dashboard uses assessments from policies, not manual checks.

204
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect Azure resources. You need to ensure that storage accounts are only accessible via HTTPS. What should you configure?

A.Configure a storage account firewall to block HTTP
B.Use a private endpoint for the storage account
C.Enable 'Secure transfer required' in the storage account's configuration
D.Create an Azure Policy to audit storage accounts that do not require secure transfer
AnswerC

This setting rejects HTTP requests and enforces HTTPS.

Why this answer

Option B is correct because the storage account's security policy 'Secure transfer required' enforces HTTPS for all requests. Option A is wrong because Azure Policy can audit but not enforce the setting directly. Option C is wrong because a firewall rule controls network access, not protocol.

Option D is wrong because private endpoints are for network isolation, not protocol enforcement.

205
MCQhard

Refer to the exhibit. You are reviewing a policy assignment in Microsoft Defender for Cloud that deploys the Log Analytics agent to Azure VMs. The policy uses 'DeployIfNotExists' effect and specifies a workspace. However, newly created VMs are not showing the agent installed. What is the most likely cause?

A.The workspace ID is incorrect.
B.The policy assignment does not have a managed identity assigned.
C.The policy effect is set to 'Disabled'.
D.The Log Analytics workspace is in a different region than the VMs.
AnswerB

DeployIfNotExists policies require a system-assigned managed identity to perform remediation tasks.

Why this answer

DeployIfNotExists policies require a managed identity to perform remediation. If the policy assignment does not have a managed identity, it cannot deploy the agent. Option A is wrong because 'Disabled' effect would not attempt deployment.

Option B is wrong because the workspace location does not need to match. Option D is wrong because the agent can be deployed to multiple workspaces via policy.

206
MCQhard

Your organization runs a critical application on an Azure VM that generates sensitive data. You need to ensure that only approved applications can execute on the VM to prevent malware. You have Microsoft Defender for Cloud enabled with the Defender for Servers plan P2. Which feature provides application control without requiring custom rules?

A.Configure AppLocker via Group Policy.
B.Enable Just-in-time VM access on the VM.
C.Enable Windows Defender Application Control (WDAC) on the VM.
D.Enable Adaptive application controls in Defender for Cloud.
AnswerD

Adaptive application controls use ML to automatically create allowlists for known good processes.

Why this answer

Microsoft Defender for Cloud's adaptive application controls use machine learning to analyze processes and create allowlists automatically. Option A is wrong because AppLocker requires manual configuration. Option B is wrong because Windows Defender Application Control (WDAC) requires policy creation.

Option D is wrong because just-in-time VM access controls network access, not application execution.

207
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. The security team wants to implement a continuous compliance monitoring solution using Microsoft Defender for Cloud's regulatory compliance dashboard. They need to monitor compliance against the 'CIS Microsoft Azure Foundations Benchmark' and 'PCI DSS v3.2.1'. Currently, the subscription has the 'Azure Security Benchmark' initiative assigned. You need to configure the compliance dashboard to show both CIS and PCI DSS standards. The subscription already has Microsoft Defender for Cloud's CSPM plan enabled. You have also enabled the 'Defender for Cloud' plan for servers. What should you do to meet the requirements?

A.Add the CIS Microsoft Azure Foundations Benchmark and PCI DSS v3.2.1 policy initiatives to the regulatory compliance dashboard.
B.Enable the CIS benchmark in the Microsoft Defender for Cloud settings.
C.Enable Microsoft Defender for Cloud's regulatory compliance add-on.
D.Remove the Azure Security Benchmark initiative and assign the CIS and PCI DSS initiatives.
AnswerA

You can add multiple compliance standards by assigning their policy initiatives.

Why this answer

To add compliance standards to the regulatory compliance dashboard, you need to add the corresponding policy initiatives. Option D is correct. Option A is incorrect because you do not need to remove existing initiatives.

Option B is incorrect because the CIS benchmark is not automatically enabled; you must add it. Option C is incorrect because you need to add the initiatives, not just enable Defender plans.

208
MCQeasy

You need to ensure that Microsoft Defender for Cloud automatically provisions the Log Analytics agent (AMA) on all new Azure VMs in a subscription. What should you configure?

A.Use Azure Automation State Configuration to enforce agent installation.
B.Install the Log Analytics agent as a VM extension on each VM manually.
C.Create an Azure Policy initiative that deploys the Log Analytics agent.
D.Enable auto-provisioning in the Defender for Cloud environment settings.
AnswerD

Auto-provisioning automatically installs the Log Analytics agent on new VMs.

Why this answer

Option A is correct because Defender for Cloud has an auto-provisioning setting for the Log Analytics agent. Option B is wrong because Azure Policy can be used but is not the default mechanism. Option C is wrong because VM extensions can be installed manually but not automatically for all new VMs.

Option D is wrong because Azure Automation is not designed for this purpose.

209
MCQhard

A multinational corporation uses Microsoft Defender for Cloud to assess security posture across multiple subscriptions. The security team wants to ensure that all resources in a specific management group are compliant with a custom set of security standards. What should they do?

A.Assign a built-in or custom regulatory compliance standard to the management group in Defender for Cloud
B.Configure Defender for Cloud's security policy for each subscription individually
C.Use the Secure Score API to monitor compliance
D.Create an Azure Policy initiative and assign it to the management group
AnswerA

Regulatory compliance standards can be assigned at management group scope.

Why this answer

Option A is correct because regulatory compliance standards can be assigned at the management group level in Defender for Cloud. Option B is wrong because Azure Policy assignments are for individual policies, not security standards. Option C is wrong because security policies in Defender for Cloud are applied per subscription, not management group.

Option D is wrong because Secure Score is a metric, not a compliance standard.

210
MCQmedium

A company uses Microsoft Sentinel to monitor Azure resources. They have a custom analytic rule that generates an incident when a user creates a new Azure SQL Database. The incident is assigned to the security team. However, they want to automatically notify the database administration team via email when such an incident is created. What should they configure?

A.Create a playbook in Azure Logic Apps that sends an email and attach it to the analytic rule
B.Configure a Microsoft Teams connector in the analytic rule
C.Create an automation rule in Sentinel that runs a playbook to send an email
D.Create an Azure Monitor alert rule that triggers on the same query
AnswerC

Automation rules can trigger playbooks when incidents are created.

Why this answer

Option B is correct because automation rules in Sentinel can trigger playbooks that send emails. Option A is wrong because Azure Monitor alerts are for metrics/logs, not Sentinel incidents. Option C is wrong because Logic Apps can send emails but need to be triggered by an automation rule.

Option D is wrong because Microsoft Teams integration would require a playbook, not a direct connector.

211
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create a custom analytics rule that detects when a user account is created in Microsoft Entra ID and then, within 24 hours, that account is granted a privileged role (e.g., Global Administrator). You have set up the necessary data connectors to ingest Microsoft Entra ID audit logs and sign-in logs into Sentinel. The rule should trigger an incident with high severity when this sequence occurs. Which KQL query should you use in the analytics rule?

A.AuditLogs | where OperationName == "Add user" | join kind=inner (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].id == $right.TargetResources[0].id | where TimeGenerated <= 24h
B.AuditLogs | where OperationName == "Add user" | join kind=inner (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].id == $right.TargetResources[0].id | where TimeGenerated > 24h
C.AuditLogs | where OperationName == "Add user" | join kind=leftouter (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].id == $right.TargetResources[0].id | where TimeGenerated > 24h
D.AuditLogs | where OperationName == "Add user" | join kind=inner (AuditLogs | where OperationName contains "Add member to role") on $left.TargetResources[0].displayName == $right.TargetResources[0].displayName | where TimeGenerated <= 24h
AnswerA

This query joins user creation events with role assignment events on the same user ID within 24 hours, correctly detecting the sequence.

212
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud to monitor Azure resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources. Which TWO options can you use to achieve this?

Select 2 answers
A.Create a Logic Apps playbook that runs on a schedule.
B.Assign an Azure Policy with a DeployIfNotExists effect that deploys the required configuration.
C.Configure Microsoft Sentinel to automatically remediate based on alerts.
D.Enable 'Quick Fix!' for supported recommendations in Defender for Cloud.
E.Use Azure Automation runbooks to manually run remediation.
AnswersB, D

Correct. DeployIfNotExists automatically remediates non-compliant resources.

Why this answer

Option A and B are correct. Quick Fix! remediation can be enabled for recommendations that support it, allowing automatic remediation when the recommendation is triggered. Azure Policy with DeployIfNotExists effect can also automatically remediate non-compliant resources by deploying required configurations.

Option C is wrong because Logic Apps playbooks are for manual or scheduled remediation, not automatic. Option D is wrong because Azure Automation runbooks can be used but require custom setup and are not automatic by default. Option E is wrong because Microsoft Sentinel is for SIEM, not automatic remediation.

213
MCQeasy

Your security team uses Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) to detect insider threats. To enable UEBA, which data source must be connected to Sentinel?

A.Microsoft Entra ID data connector
B.Azure Key Vault data connector
C.Office 365 data connector
D.Azure Activity log data connector
AnswerA

Correct: provides identity data for UEBA.

Why this answer

Option C is correct because UEBA in Sentinel requires the Microsoft Entra ID (Azure AD) data connector to ingest user identity and sign-in logs. Option A (Azure Activity) provides subscription-level logs. Option B (Azure AD) is correct.

Option D (Office 365) is not required for UEBA.

← PreviousPage 3 of 3 · 213 questions total

Ready to test yourself?

Try a timed practice session using only Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel questions.