Mitigate threats using Microsoft Defender for Cloud

A security operations analyst is reviewing recommendations in Microsoft Defender for Cloud. For a virtual machine that is missing critical security updates, which recommendation category will highlight this issue?

A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)

A security analyst reviews Microsoft Defender for Cloud recommendations for an Azure virtual machine. The VM has a recommendation titled 'Install endpoint protection solution on virtual machines'. The analyst clicks on the recommendation and sees affected resources. Which of the following best describes the purpose of this recommendation in the context of Defender for Cloud?

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to secure its Azure virtual machines. A security analyst needs to grant a developer temporary RDP access to a specific VM for debugging purposes. Instead of using the default request approval flow, the analyst wants to configure an exemption so that the developer's access request never triggers a recommendation for that VM. Which action must the analyst perform?

A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?

A security analyst is using Microsoft Defender for Cloud's adaptive application controls (AAC) to allowlist trusted applications on Azure VMs. After enabling AAC and running in 'Audit' mode for a week, the analyst wants to switch to 'Enforce' mode. Which pre-requisite must be met before enforcement can be applied?

A company uses Microsoft Defender for Cloud to protect Azure resources. They have an Azure SQL Database containing sensitive customer data. The security team wants to be alerted if a user attempts to perform SQL injection attacks against the database. Which Defender for Cloud plan must be enabled to receive SQL injection alerts?

A security team uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that a VM is generating alerts for unusual outbound connections. The team wants to use a Defender for Cloud feature that learns the VM's typical network behavior and provides recommendations to tighten network security group rules, while also alerting on suspicious deviations. Which feature should they enable?

A company has enabled Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing virtual machines have a vulnerability assessment solution installed. Which Defender for Cloud feature can automatically deploy a vulnerability assessment agent to supported VMs?

A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team receives an alert indicating that a VM is communicating with a known malicious IP address. Which Defender for Cloud feature can be used to automatically block outbound traffic to that IP address by adjusting the network security group (NSG)?

A company has Azure virtual machines running Windows Server. The security team wants to use Microsoft Defender for Cloud's vulnerability assessment solution to identify missing security updates. Which of the following is required to enable built-in vulnerability assessment for VMs?

A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team wants to identify which VMs have missing system updates such as critical security patches. Which Defender for Cloud feature should they use?

An organization has enabled Microsoft Defender for Cloud's enhanced security features. They want to ensure that newly provisioned Azure virtual machines automatically have the built-in vulnerability assessment solution installed. Which configuration should they enable in Defender for Cloud?

A company wants to protect Azure virtual machines from brute force attacks by allowing remote desktop protocol (RDP) access only when explicitly requested and approved. Which Microsoft Defender for Cloud feature should they enable?

A company enables Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing and future Azure VMs have Just-In-Time (JIT) VM access configured. Which of the following actions must the team take first to enable JIT for VMs?

Match each Microsoft Defender for Cloud feature on the left with its primary purpose on the right.

An analyst wants to enable the Defender for Containers plan in Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. Arrange the steps in the correct order.

A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?

A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?

A company uses Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to automatically disable the local administrative account on all existing and future Azure virtual machines by applying a guest configuration policy. Which Defender for Cloud feature should they use?

A security analyst receives an alert in Microsoft Defender for Cloud that an Azure virtual machine is running a process with a known indicator of compromise (IOC). The analyst wants to investigate the process details, including the command line and parent process. Which feature should the analyst use to gather this information from the VM?

A company uses Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The security team wants to receive security alerts about suspicious activities within the cluster, such as a container running with root privileges or attempts to read sensitive host paths. Which Defender for Cloud plan must be enabled to generate these alerts?

A company uses Microsoft Defender for Cloud. They need to continuously assess the compliance of their Azure resources against the CIS benchmark. Which feature should they enable?

A security analyst in Microsoft Defender for Cloud receives an alert that an Azure VM has a vulnerability with a high severity. The analyst wants to see the detailed finding, including the steps to remediate. Which blade or page should the analyst open?

A security analyst receives an alert in Microsoft Defender for Cloud about a suspicious process on an Azure VM. The alert indicates a potential credential dumping tool. The analyst needs to see the full command line and parent process of the suspicious process. Which Defender for Cloud feature should the analyst use?

A company uses Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. They want to automatically remediate non-compliant resources when a policy violation is detected—for example, enabling encryption on a storage account that has it disabled. Which feature should they configure?

A security administrator wants to ensure that all Azure virtual machines have Microsoft Defender for Cloud's vulnerability assessment (VA) solution enabled automatically. They need to deploy the VA solution to new and existing VMs without manual intervention. Which method should they use?

Your organization has multiple Azure subscriptions and wants to ensure that all of them have Microsoft Defender for Cloud's enhanced security features enabled. What is the minimal step required to achieve this for all subscriptions?

A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?

A security administrator wants to ensure that all existing and future Azure virtual machines have Microsoft Defender for Cloud's built-in vulnerability assessment solution (Qualys or Microsoft) installed without manual intervention. Which feature should the administrator configure?

A company uses Microsoft Defender for Cloud to manage security posture. The compliance team needs to continuously monitor resources against the CIS Microsoft Azure Foundations Benchmark and receive a consolidated score across all subscriptions. Which Defender for Cloud feature should they use?

A security analyst in Microsoft Defender for Cloud is reviewing the Security Alerts for an Azure subscription. The analyst sees an alert titled "Suspicious PowerShell activity detected" on an Azure VM. The analyst needs to view the full command line of the suspicious script and the parent process that launched it. Where in the alert details can the analyst find this information?

A global organization has Azure subscriptions organized under a single management group. The security team wants to ensure that the Azure Security Benchmark initiative is assigned once to cover all current and future subscriptions within that management group, without needing to assign it individually. They also want to see compliance results aggregated at the management group level. In Microsoft Defender for Cloud, what is the correct approach to achieve this?

A company uses Microsoft Defender for Cloud to protect their Azure resources. They have enabled the enhanced security features on a subscription that contains several Azure SQL databases. They want to be alerted if a user attempts to perform SQL injection attacks against these databases. Which Defender for Cloud plan specifically enables SQL injection detection alerts?

An organization uses Microsoft Defender for Cloud and needs to track compliance with internal security policies that are not covered by any built-in regulatory standard. They want to see the compliance status for these internal controls in the Regulatory Compliance dashboard alongside other standards. What should they configure?

A security team needs to enforce that all Azure virtual machines have a specific custom script execution baseline (e.g., block PowerShell from executing scripts from the internet). They want to use Microsoft Defender for Cloud to continuously monitor and alert when a VM deviates from this baseline. Which feature should they use?

An organization uses Microsoft Defender for Cloud and has enabled enhanced security features. They want to receive alerts when a user attempts to connect to an Azure VM via RDP from a public IP address that is not in a predefined list of trusted IP ranges. Which Defender for Cloud plan or feature provides this capability?

A company has multiple Azure subscriptions under a management group. They want to ensure that all VMs across all subscriptions have Microsoft Defender for Cloud's vulnerability assessment solution (using the Microsoft Defender Vulnerability Management engine) enabled. They also want to automatically remediate any non-compliant VMs by enabling the VA solution when a VM is missing it. Which combination of policy initiatives and automation should they use?

A security engineer is configuring Microsoft Defender for Cloud in a hybrid environment that includes on-premises servers connected via Azure Arc. The engineer wants to enable the Defender for Cloud plans for servers (including vulnerability assessment) on all Azure Arc-enabled machines. What is the correct method to deploy the Log Analytics agent (or Azure Monitor Agent) and the Microsoft Defender for Endpoint (MDE) integration?

A security engineer is configuring Microsoft Defender for Cloud in a hybrid environment with on-premises servers connected via Azure Arc. The engineer wants to enable the Defender for Cloud plans for servers (including vulnerability assessment) on all Azure Arc-enabled machines. What is the correct method to deploy the Log Analytics agent (or Azure Monitor Agent) and the Microsoft Defender for Endpoint (MDE) integration?

A security administrator wants to assess their Azure environment against the Azure Security Benchmark and also include custom security controls defined by their organization. They need a single, reusable policy initiative that can be assigned across multiple subscriptions and management groups. What should the administrator create in Microsoft Defender for Cloud?

A security administrator needs to ensure that only approved applications can run on a set of Windows Server virtual machines. The administrator has already enabled Microsoft Defender for Cloud's enhanced security features. Which Defender for Cloud feature should the administrator configure to define a list of allowed applications and get alerts when unapproved applications are executed?

A security engineer needs to ensure that all Azure subscriptions under a management group are continuously assessed against the Azure Security Benchmark. They want to see the aggregated compliance score at the management group level. What should the engineer do in Microsoft Defender for Cloud?

A security administrator wants to enforce Just-in-Time (JIT) VM access for all Azure virtual machines in a management group to reduce the attack surface. The administrator wants to automatically enable JIT on any new VM and remediate existing non-compliant VMs. What should the administrator configure in Microsoft Defender for Cloud?

A security team wants to enable advanced threat detection for all Azure SQL databases across multiple subscriptions. They want to receive alerts for SQL injection attempts and anomalous activities. Which action should they take in Microsoft Defender for Cloud?

A security engineer is responsible for protecting containerized workloads in Azure Kubernetes Service (AKS) clusters. They want to enable Microsoft Defender for Cloud to detect threats against the Kubernetes control plane and container runtime. Additionally, they want to ensure vulnerability assessments are performed on images stored in Azure Container Registry. Which Defender for Cloud plan should the engineer enable?

A security administrator wants to see the overall security posture of all their Azure subscriptions in a single numerical score. Which dashboard in Microsoft Defender for Cloud provides this score based on implemented security controls?

A company has enabled Microsoft Defender for Cloud on their subscription containing Azure SQL databases. They receive an alert about a potential SQL injection attack. The analyst wants to see the actual query that was executed. Where can the analyst find the query details associated with the alert?

A company wants to enable Microsoft Defender for Cloud's enhanced security features for all Azure virtual machines in a subscription. What is the first action they should take in the Defender for Cloud pricing & settings page?

An organization wants to enable vulnerability assessment for all Azure virtual machines, including future ones, using the integrated Qualys or Microsoft Defender Vulnerability Management solution. What is the recommended approach in Microsoft Defender for Cloud?

Which of the following resource types are supported by Microsoft Defender for Cloud's workload protection plans? (Select all that apply.) (Choose 3.)

In Microsoft Defender for Cloud, what does the Secure Score represent?

A security administrator wants to view the overall security posture of all Azure subscriptions in a single numerical score. Which dashboard in Microsoft Defender for Cloud provides this score based on implemented security controls?

An organization needs to meet PCI DSS compliance requirements and also enforce a custom policy requiring that encryption keys be stored in a specific Azure Key Vault. The security administrator wants to view a unified compliance score that includes both the built-in PCI DSS standard and the custom policy. What should the administrator do in Microsoft Defender for Cloud?

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines in a subscription using the integrated Microsoft Defender Vulnerability Management solution. What is the recommended action in Microsoft Defender for Cloud?

A security administrator in Microsoft Defender for Cloud notices that the Secure Score is lower than expected. Which action would most effectively improve the Secure Score by reducing the attack surface?

A security operations team has Microsoft Defender for Cloud enabled on all subscriptions and wants to forward security alerts and recommendations to Microsoft Sentinel for analysis and automation. Which configuration should the team implement to enable this integration?

A company wants to be alerted when a virtual machine is exposed to the internet through a permissive network security group rule. Which Microsoft Defender for Cloud feature provides recommendations and alerts for such misconfigurations?

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. Which action should they take in Microsoft Defender for Cloud?

A security operations team uses Microsoft Defender for Cloud and Microsoft Sentinel. They want to automatically suppress low-severity security recommendations that are older than 90 days for a specific resource group. Which combination of tools should they use?

A company uses Microsoft Defender for Cloud to secure its Azure environment. The security team wants to receive notifications via email whenever a high-severity security alert is generated. What should they configure in Defender for Cloud?

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They recently deployed a new Azure Kubernetes Service (AKS) cluster and want to ensure it is protected by Defender for Containers. What must they do to enable protection?

A security administrator needs to view a list of all virtual machines that have a missing critical security update. Which Microsoft Defender for Cloud dashboard should they use?

A company wants to enable vulnerability scanning for Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. What is the first step?

A security administrator is configuring Microsoft Defender for Cloud's regulatory compliance dashboard. The organization needs to be compliant with the NIST SP 800-53 standard. Which built-in initiative should the administrator assign to the subscription to populate the dashboard with NIST controls?

A company has enabled Microsoft Defender for Cloud on multiple Azure subscriptions. The security team wants to view a unified security score that aggregates the scores from all subscriptions. Which feature should they use?

A cloud security administrator receives an alert from Microsoft Defender for Cloud indicating that a virtual machine has been compromised. The administrator wants to quickly isolate the VM from the network to prevent further spread while preserving the disk for forensic analysis. Which action should the administrator take?

A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to integrate a third-party vulnerability assessment solution for their Azure VMs and ensure findings appear in the Defender for Cloud recommendations. What must be done?

A security administrator wants to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent enabled by default in Microsoft Defender for Cloud. Where should this configuration be set?

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have an Azure subscription with many VMs that are all protected by Defender for Servers. The security team wants to identify VMs that have not had a vulnerability assessment scan in the last 7 days. The integrated vulnerability assessment (Microsoft Defender Vulnerability Management) is enabled. Which KQL query in Azure Resource Graph or Log Analytics can achieve this?

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have several Azure virtual machines running SQL Server. The security team wants to enable advanced threat protection for their Azure SQL databases. What should they do?

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans enabled. They want to automatically enable the Defender for Cloud plans on new Azure subscriptions that are created under their management group. Which approach should they use?

A large enterprise uses Microsoft Defender for Cloud with the integrated Microsoft Defender Vulnerability Management solution enabled for all servers. The security team wants to identify all virtual machines that have not been scanned for vulnerabilities in the last 7 days. They plan to use Azure Resource Graph (ARG) to generate a report. Which KQL query would correctly identify these machines?

A company uses Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to view a consolidated list of all security recommendations across multiple Azure subscriptions in a single view. Which blade should they navigate to in the Microsoft Defender for Cloud portal?

A cloud security administrator needs to ensure that all Azure virtual machines have the Microsoft Defender for Cloud agent (Log Analytics agent) installed automatically when they are provisioned. Which configuration should be set in Microsoft Defender for Cloud?

A company uses Microsoft Defender for Cloud with Defender for Containers enabled. The security team wants to view security alerts generated for their Azure Kubernetes Service (AKS) clusters. Where should they navigate to see these alerts?

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. The security team wants to integrate a third-party vulnerability assessment solution (e.g., Qualys) and have findings appear in the Defender for Cloud recommendations. What must be done?

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. The security team wants to receive an alert when a new user is added to the local Administrators group on a Windows virtual machine. Which data source must be enabled in Defender for Cloud to capture this event?

A company has several Azure virtual machines running SQL Server (IaaS). The security team wants to enable Advanced Threat Protection for these SQL Server instances to detect threats like SQL injection. What should they do?

A large organization manages multiple Azure subscriptions under a single management group. The security team wants to ensure that when new subscriptions are added to the management group, the Microsoft Defender for Cloud plans (e.g., Defender for Servers) are automatically enabled. What is the most efficient way to achieve this?

A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent (Azure Monitor Agent) turned on. Where should this configuration be set to cover existing and future VMs?

A company runs SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) to detect threats like SQL injection against these SQL Server instances. Which single action is required to achieve this?

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans (e.g., Defender for Servers, Defender for SQL) enabled on a management group. The security team wants to automatically enable these plans on new Azure subscriptions that are created under this management group. Which approach is the most efficient and scalable?

A security administrator needs to ensure that all newly provisioned Azure virtual machines automatically install the Microsoft Defender for Cloud agent (Log Analytics agent) to enable security monitoring. Which configuration should be enabled in Defender for Cloud?

A company manages multiple Azure subscriptions under a single management group. The security team wants to enable Microsoft Defender for Cloud's enhanced security features (e.g., Defender for Servers) for all subscriptions under that management group with minimal administrative effort. Which method should they use?

A security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to receive an alert whenever a new local user is added to the Administrators group on any Azure Windows virtual machine. Which data source must be configured in Defender for Cloud to capture this event?

A security administrator wants to quickly view the overall security posture of all Azure subscriptions under a single management group that are monitored by Microsoft Defender for Cloud. Where in the Azure portal should they navigate?

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. They also run SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) for these SQL Server IaaS instances to detect threats like SQL injection. What is the single most effective action to achieve this?

An organization manages multiple Azure subscriptions under a single management group. They want to automatically enable Microsoft Defender for Cloud's enhanced security plans (e.g., Defender for Servers) on any new subscription added to the management group. Which configuration method should they use?

A company runs SQL Server on Azure Virtual Machines (IaaS). They want to enable Advanced Threat Protection (ATP) for these instances to detect SQL injection attempts. What must they do first?

A security analyst uses Microsoft Defender for Cloud to monitor Azure SQL Databases. The analyst wants to generate alerts for SQL injection attempts but only for databases that contain sensitive data (e.g., credit card numbers). What is the most efficient way to configure alerting to focus on these databases?

A Defender for Cloud alert repeatedly fires for a known test VM used by the security team. The alert type is valid, but it should not create noise for that VM. What should the analyst configure?

A hybrid environment contains Azure VMs and on-premises servers connected through Azure Arc. Which two outcomes can Defender for Cloud provide for these servers? (Choose 2.)

A security administrator wants to enable Microsoft Defender for Cloud on all Azure subscriptions to generate security alerts for resources. What is the minimum configuration required on a subscription?

A company has multiple Azure subscriptions managed by Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to ensure that all Azure SQL Servers have Advanced Data Security (ADS) enabled, including Vulnerability Assessment. They decide to use Azure Policy to enforce this at scale. Which built-in policy initiative should they assign to achieve this?

A security administrator is configuring Microsoft Defender for Cloud's regulatory compliance dashboard for Azure resources. They need to track compliance against the SOC 2 standard using a built-in initiative. Which steps are required to add SOC 2 to the dashboard?

A security team enables Microsoft Defender for Cloud on an Azure subscription and wants to ensure that all Azure SQL databases have threat detection enabled. Which plan must be enabled to receive alerts for SQL injection attempts?

An organization has enabled enhanced security features for a hybrid infrastructure including SQL servers on-premises and in Azure. Which Microsoft Defender for Cloud plan provides threat detection for both SQL Server on-premises and Azure SQL Database?