CCNA Mitigate threats using Microsoft Defender for Cloud Questions

75 of 104 questions · Page 1/2 · Mitigate threats using Microsoft Defender for Cloud · Answers revealed

1
MCQeasy

A company runs SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) to detect threats like SQL injection against these SQL Server instances. Which single action is required to achieve this?

A.Enable Microsoft Defender for SQL on the Azure subscription or at the SQL Server resource level.
B.Install the SQL Server IaaS Agent extension on each virtual machine.
C.Enable just Microsoft Defender for Servers on the subscription.
D.Configure an Azure SQL firewall rule to allow only trusted IP addresses.
AnswerA

Enabling Defender for SQL activates threat detection for Azure SQL databases and SQL Server on VMs. This is the direct method to get alerts for SQL injection and other threats.

Why this answer

To enable Advanced Threat Protection (ATP) for SQL Server on Azure VMs, you must enable Microsoft Defender for SQL at the Azure subscription or SQL Server resource level. This activates the SQL-specific threat detection capabilities, including alerts for SQL injection, anomalous access patterns, and suspicious activities. Without this, the SQL Server instances lack the dedicated security monitoring that ATP provides.

Exam trap

The trap here is that candidates confuse the prerequisite infrastructure (SQL IaaS Agent extension) with the actual security service (Defender for SQL), or assume that general server protection (Defender for Servers) covers SQL-specific threats, which it does not.

How to eliminate wrong answers

Option B is wrong because the SQL Server IaaS Agent extension is required for managing SQL Server on Azure VMs (e.g., licensing, patching), but it does not enable ATP; ATP is a feature of Microsoft Defender for SQL, not the extension. Option C is wrong because Microsoft Defender for Servers protects the VM's OS and network layer but does not include SQL-specific threat detection like SQL injection alerts; that requires Defender for SQL. Option D is wrong because configuring an Azure SQL firewall rule restricts network access but does not enable ATP; ATP is a security monitoring and alerting service, not a network control.

2
MCQmedium

A company has Azure virtual machines running Windows Server. The security team wants to use Microsoft Defender for Cloud's vulnerability assessment solution to identify missing security updates. Which of the following is required to enable built-in vulnerability assessment for VMs?

A.Enable Defender for Servers plan
B.Install the Log Analytics agent manually
C.Configure a vulnerability assessment solution from Azure Marketplace
D.Enable the regulatory compliance dashboard
AnswerA

Enabling the Defender for Servers plan activates the built-in vulnerability assessment, which automatically deploys the Qualys agent to discover missing security updates.

Why this answer

The built-in vulnerability assessment solution in Microsoft Defender for Cloud for Azure VMs is powered by Qualys and is automatically provisioned when the Defender for Servers plan is enabled. This integration does not require manual agent installation or third-party solutions; enabling the plan activates the scanner on supported VMs to identify missing security updates and other vulnerabilities.

Exam trap

The trap here is that candidates often assume a separate agent or marketplace solution is required, but Microsoft’s built-in assessment is automatically included with the Defender for Servers plan, making the other options unnecessary.

How to eliminate wrong answers

Option B is wrong because the built-in vulnerability assessment uses a Qualys-based scanner that is automatically deployed by Defender for Cloud, not the Log Analytics agent. Option C is wrong because the built-in solution is native and does not require configuring a separate solution from Azure Marketplace; that would be for third-party integrations. Option D is wrong because the regulatory compliance dashboard is a separate feature for tracking compliance standards, not a prerequisite for enabling vulnerability scanning.

3
MCQhard

A security engineer is responsible for protecting containerized workloads in Azure Kubernetes Service (AKS) clusters. They want to enable Microsoft Defender for Cloud to detect threats against the Kubernetes control plane and container runtime. Additionally, they want to ensure vulnerability assessments are performed on images stored in Azure Container Registry. Which Defender for Cloud plan should the engineer enable?

A.Enable the Microsoft Defender for Servers plan on the subscription.
B.Enable the Microsoft Defender for Containers plan on the subscription.
C.Enable the Microsoft Defender for App Service plan on the subscription.
D.Enable the Microsoft Defender for Container Registries plan (legacy) on the registry.
AnswerB

Defender for Containers includes detection for Kubernetes threats, runtime security, and vulnerability assessment for images.

Why this answer

Option B is correct because the Microsoft Defender for Containers plan is the only plan that provides integrated threat detection for the AKS control plane and container runtime, as well as vulnerability assessment for images in Azure Container Registry. This plan replaces the legacy Defender for Container Registries and Defender for Kubernetes plans, offering a unified solution for container security.

Exam trap

The trap here is that candidates may confuse the legacy Defender for Container Registries plan (Option D) as sufficient, not realizing it lacks control plane threat detection and has been replaced by the unified Defender for Containers plan.

How to eliminate wrong answers

Option A is wrong because the Microsoft Defender for Servers plan is designed for protecting virtual machines and on-premises servers, not containerized workloads in AKS or container registries. Option C is wrong because the Microsoft Defender for App Service plan focuses on threats against web applications running on Azure App Service, not Kubernetes clusters or container registries. Option D is wrong because the Microsoft Defender for Container Registries plan (legacy) only provides vulnerability scanning for images in the registry and does not include threat detection for the AKS control plane or container runtime; it has been superseded by the Defender for Containers plan.

4
MCQmedium

A security administrator wants to assess their Azure environment against the Azure Security Benchmark and also include custom security controls defined by their organization. They need a single, reusable policy initiative that can be assigned across multiple subscriptions and management groups. What should the administrator create in Microsoft Defender for Cloud?

A.A new regulatory compliance standard
B.A custom Azure Policy initiative
C.A custom Azure Policy definition
D.A Secure Score recommendation override
AnswerB

Correct. By creating a custom initiative that includes the Azure Security Benchmark policy definitions plus custom policy definitions, you can deploy a single initiative covering both required sets of controls.

Why this answer

The administrator needs a single, reusable policy initiative that includes both Azure Security Benchmark controls and custom organizational controls. A custom Azure Policy initiative (also known as a policy set) allows combining multiple policy definitions, including built-in benchmark controls and custom definitions, into one assignable package across subscriptions and management groups. This is the correct approach because initiatives are designed for grouping related policies and can be assigned at scale in Microsoft Defender for Cloud.

Exam trap

The trap here is that candidates confuse a single custom policy definition (Option C) with a policy initiative, not realizing that an initiative is the only way to group multiple controls into a single assignable package for compliance assessment.

How to eliminate wrong answers

Option A is wrong because a new regulatory compliance standard in Defender for Cloud is a built-in framework (like Azure Security Benchmark, ISO 27001) that cannot be customized to include arbitrary custom controls; it only maps to predefined compliance assessments. Option C is wrong because a custom Azure Policy definition is a single policy rule, not a collection of multiple controls; it cannot bundle the Azure Security Benchmark with custom controls into one reusable package. Option D is wrong because a Secure Score recommendation override only changes the scoring impact or status of an existing recommendation, not the underlying policy set or compliance standard.

5
MCQmedium

An organization has enabled enhanced security features for a hybrid infrastructure including SQL servers on-premises and in Azure. Which Microsoft Defender for Cloud plan provides threat detection for both SQL Server on-premises and Azure SQL Database?

A.Defender for Servers
B.Defender for SQL
C.Defender for Databases
D.Defender for Storage
AnswerB

Defender for SQL provides threat detection for SQL Server workloads including on-premises and Azure SQL Database.

Why this answer

Defender for SQL is the correct plan because it is specifically designed to protect both on-premises SQL Server instances (via Azure Arc-enabled SQL Server) and Azure SQL Database. It provides threat detection, vulnerability assessment, and advanced threat protection across the hybrid SQL estate, unlike other Defender plans that focus on different resource types.

Exam trap

The trap here is that candidates confuse 'Defender for Databases' (a broader, non-existent plan in the current Microsoft Defender for Cloud portfolio) with 'Defender for SQL,' which is the actual plan that covers both on-premises and Azure SQL databases.

How to eliminate wrong answers

Option A is wrong because Defender for Servers protects virtual machines and servers (including SQL Server hosts) but does not provide SQL-specific threat detection for the database engine itself. Option C is wrong because Defender for Databases is not a standalone plan; it is a legacy term or a grouping that has been replaced by Defender for SQL, which is the actual plan covering SQL databases. Option D is wrong because Defender for Storage protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage from storage-specific threats, not SQL databases.

6
MCQmedium

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. They also run SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) for these SQL Server IaaS instances to detect threats like SQL injection. What is the single most effective action to achieve this?

A.Enable the Defender for SQL plan on the management group or subscription
B.Install the SQL IaaS Agent extension on each VM
C.Configure a vulnerability assessment solution on each SQL Server
D.Enable Azure SQL Database Threat Detection policy
AnswerA

Defender for SQL (IaaS) is a plan under Defender for Cloud. Enabling it extends protection to SQL Server IaaS instances, including ATP capabilities.

Why this answer

The Defender for SQL plan in Microsoft Defender for Cloud provides Advanced Threat Protection (ATP) for Azure SQL Database, Azure SQL Managed Instance, and SQL Server on Azure VMs. Enabling this plan at the management group or subscription level automatically protects all current and future SQL Server IaaS instances within that scope, including threat detection for SQL injection attacks, without requiring per-VM agent installation.

Exam trap

The trap here is that candidates often confuse the SQL IaaS Agent extension (which is needed for VM registration and management) with the actual security configuration required for ATP, leading them to select Option B instead of the subscription-level plan enablement in Option A.

How to eliminate wrong answers

Option B is wrong because installing the SQL IaaS Agent extension is a prerequisite for registering the VM with the SQL IaaS resource provider, but it does not enable ATP by itself; ATP requires the Defender for SQL plan to be enabled. Option C is wrong because configuring a vulnerability assessment solution addresses security misconfigurations and vulnerabilities, not real-time threat detection like SQL injection. Option D is wrong because Azure SQL Database Threat Detection policy applies only to Azure SQL Database, not to SQL Server running on Azure VMs (IaaS).

7
MCQeasy

Your organization has multiple Azure subscriptions and wants to ensure that all of them have Microsoft Defender for Cloud's enhanced security features enabled. What is the minimal step required to achieve this for all subscriptions?

A.Assign an Azure Policy initiative to enable Defender for Cloud on each subscription
B.Enable the required Defender for Cloud plans at the management group level
C.Install the Log Analytics agent on all virtual machines in each subscription
D.Create a security contact email for each subscription
AnswerB

This propagates the enabled plans to all subscriptions under the management group, making it the simplest and minimal step.

Why this answer

Enabling Microsoft Defender for Cloud plans at the management group level is the minimal step because it applies the configuration to all child subscriptions under that management group in a single action. This leverages Azure's hierarchical management structure, ensuring every subscription inherits the enhanced security features without needing individual subscription-level configuration.

Exam trap

The trap here is that candidates often confuse enabling Defender for Cloud plans with deploying agents or configuring policies, but the minimal step is simply toggling the plans at the management group scope, which applies to all child subscriptions automatically.

How to eliminate wrong answers

Option A is wrong because assigning an Azure Policy initiative to enable Defender for Cloud is not minimal; it requires creating and assigning a policy, which is more complex than directly enabling plans at the management group level. Option C is wrong because installing the Log Analytics agent on virtual machines is not required to enable Defender for Cloud's enhanced security features; the agent is needed for specific features like file integrity monitoring but not for enabling the plans themselves. Option D is wrong because creating a security contact email for each subscription is a separate compliance requirement for incident notification, not a step to enable enhanced security features.

8
MCQeasy

A company wants to enable Microsoft Defender for Cloud's enhanced security features for all Azure virtual machines in a subscription. What is the first action they should take in the Defender for Cloud pricing & settings page?

A.Turn on the 'Servers' plan for the subscription
B.Install the Log Analytics agent on each VM
C.Enable vulnerability assessment
D.Assign a regulatory compliance policy
AnswerA

Enabling the Servers plan activates the enhanced security features for all VMs in the subscription.

Why this answer

To enable Microsoft Defender for Cloud's enhanced security features for Azure VMs, the first step is to turn on the 'Servers' plan at the subscription level in the Defender for Cloud pricing & settings page. This activates Defender for Servers, which provides threat detection, vulnerability assessment, and just-in-time access. Without enabling this plan, no enhanced security features are available, regardless of other configurations.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking that installing the Log Analytics agent or enabling vulnerability assessment is the first step, when in fact the subscription-level plan toggle must be enabled to unlock all enhanced security features.

How to eliminate wrong answers

Option B is wrong because installing the Log Analytics agent (now the Azure Monitor Agent) is a prerequisite for data collection but is not the first action; the 'Servers' plan must be enabled first to authorize the use of enhanced features. Option C is wrong because enabling vulnerability assessment (e.g., via Qualys or Microsoft Defender Vulnerability Management) is a feature within the 'Servers' plan and cannot be activated until the plan itself is turned on. Option D is wrong because assigning a regulatory compliance policy (e.g., Azure Policy for compliance standards) is a separate governance action that does not enable the underlying threat detection capabilities; it only maps resources to compliance frameworks after the plan is active.

9
MCQeasy

A security administrator wants to see the overall security posture of all their Azure subscriptions in a single numerical score. Which dashboard in Microsoft Defender for Cloud provides this score based on implemented security controls?

A.Regulatory Compliance
B.Secure Score
C.Inventory
D.Recommendations
AnswerB

Secure Score aggregates all recommendations into a score that reflects the overall security posture.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud aggregates the security posture across all Azure subscriptions into a single numerical score. This score is calculated based on the implementation of security controls and recommendations, reflecting the percentage of completed security measures. The administrator needs this consolidated view, which is exactly what Secure Score provides.

Exam trap

The trap here is that candidates confuse the Secure Score with the Regulatory Compliance score, thinking both provide a general security posture, but Regulatory Compliance is specifically tied to compliance frameworks, not the overall security control implementation.

How to eliminate wrong answers

Option A is wrong because Regulatory Compliance provides a score based on compliance with specific standards (e.g., CIS, NIST), not a general security posture score. Option C is wrong because Inventory lists resources and their security configurations but does not calculate a numerical score. Option D is wrong because Recommendations shows individual security suggestions and their status, but does not aggregate them into a single overall score.

10
MCQeasy

A security engineer is configuring Microsoft Defender for Cloud in a hybrid environment with on-premises servers connected via Azure Arc. The engineer wants to enable the Defender for Cloud plans for servers (including vulnerability assessment) on all Azure Arc-enabled machines. What is the correct method to deploy the Log Analytics agent (or Azure Monitor Agent) and the Microsoft Defender for Endpoint (MDE) integration?

A.Manually install the Log Analytics agent on each machine and then enable MDE integration
B.Use the Defender for Cloud auto-provisioning feature with the Azure Policy 'Deploy Log Analytics agent' and enable MDE integration
C.Use Azure Arc extensions to install the agents and then configure Defender for Cloud plans
D.Deploy the agents via Configuration Manager
AnswerB

Auto-provisioning automatically deploys the required agents and enables MDE integration on Azure Arc servers via Azure Policy.

Why this answer

Option B is correct because Defender for Cloud's auto-provisioning feature uses built-in Azure Policy initiatives to automatically deploy the Log Analytics agent (or Azure Monitor Agent) to Azure Arc-enabled machines, and it also enables the Microsoft Defender for Endpoint (MDE) integration via the 'Configure machines to receive a vulnerability assessment provider' policy. This ensures consistent, scalable deployment without manual intervention, aligning with the hybrid environment's requirements.

Exam trap

The trap here is that candidates often assume Azure Arc extensions (Option C) are the primary method for agent deployment, but they overlook that Defender for Cloud's auto-provisioning feature uses Azure Policy to automate both agent installation and MDE integration, which is the recommended and correct approach for hybrid environments.

How to eliminate wrong answers

Option A is wrong because manually installing the Log Analytics agent on each machine is not scalable and does not leverage Defender for Cloud's automated policy-driven deployment, which is required for consistent configuration across Azure Arc-enabled servers. Option C is wrong because while Azure Arc extensions can install agents, they do not automatically configure the Defender for Cloud plans or MDE integration; the auto-provisioning feature in Defender for Cloud handles both agent deployment and plan enablement via policy. Option D is wrong because deploying agents via Configuration Manager (SCCM) is a traditional on-premises method that does not integrate with Defender for Cloud's policy-based auto-provisioning and would require additional manual steps to enable MDE integration and vulnerability assessment.

11
MCQmedium

An organization uses Microsoft Defender for Cloud and has enabled enhanced security features. They want to receive alerts when a user attempts to connect to an Azure VM via RDP from a public IP address that is not in a predefined list of trusted IP ranges. Which Defender for Cloud plan or feature provides this capability?

A.Adaptive network hardening
B.Network security groups (NSG) flow logs
C.Just-In-Time (JIT) VM access
D.File Integrity Monitoring (FIM)
AnswerC

JIT allows you to define a list of approved source IPs and ports; any connection attempt from an unapproved IP triggers an alert.

Why this answer

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud allows you to lock down inbound traffic to Azure VMs, reducing exposure to attacks while providing easy access when needed. When enabled, JIT creates rules in the network security group (NSG) that permit RDP (TCP 3389) or SSH (TCP 22) traffic only from specific IP addresses or ranges that you define, and only during a requested time window. If a user attempts an RDP connection from a public IP not in the trusted list, Defender for Cloud generates an alert, as the traffic is blocked by the JIT policy.

Exam trap

The trap here is that candidates often confuse Adaptive network hardening (which also adjusts NSG rules) with JIT VM access, but Adaptive network hardening does not enforce a predefined trusted IP list or generate alerts for unauthorized RDP attempts—it only recommends rule changes based on traffic patterns.

How to eliminate wrong answers

Option A is wrong because Adaptive network hardening is a feature that dynamically adjusts NSG rules based on observed traffic patterns to reduce the attack surface, but it does not provide the ability to define a trusted IP list for RDP access or generate alerts for unauthorized connection attempts from specific IPs. Option B is wrong because NSG flow logs capture information about IP traffic flowing through an NSG for network monitoring and analysis, but they do not enforce access control or generate real-time alerts for RDP connection attempts from untrusted IPs. Option D is wrong because File Integrity Monitoring (FIM) monitors changes to critical files, registries, and software on VMs, not network-level access attempts like RDP connections from public IPs.

12
MCQeasy

A security administrator wants to view the overall security posture of all Azure subscriptions in a single numerical score. Which dashboard in Microsoft Defender for Cloud provides this score based on implemented security controls?

A.Regulatory compliance dashboard
B.Secure Score dashboard
C.Inventory dashboard
D.Recommendations dashboard
AnswerB

The Secure Score dashboard displays the overall security posture score based on the implementation of security controls and recommendations across all subscriptions.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud aggregates the security posture across all Azure subscriptions into a single numerical score. This score is calculated based on the implementation of security controls and recommendations, providing a quantifiable measure of your overall security hygiene.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard with the Recommendations dashboard, thinking that viewing individual recommendations provides the same aggregated score, but the Secure Score dashboard is the only place where the single numerical score is displayed.

How to eliminate wrong answers

Option A is wrong because the Regulatory compliance dashboard shows compliance with specific standards (e.g., ISO 27001, NIST) but does not produce a single numerical score for overall security posture. Option C is wrong because the Inventory dashboard lists all monitored resources and their security configurations, but it does not aggregate them into a single score. Option D is wrong because the Recommendations dashboard lists individual security recommendations and their status, but it does not calculate or display a unified numerical score.

13
MCQmedium

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines in a subscription using the integrated Microsoft Defender Vulnerability Management solution. What is the recommended action in Microsoft Defender for Cloud?

A.Enable the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page.
B.Manually install the Microsoft Defender Vulnerability Management agent on each VM via an Azure Policy initiative.
C.Create an Azure Policy that assigns the 'Configure machines to receive a vulnerability assessment provider' built-in policy to the subscription.
D.Enable 'Vulnerability assessment for machines' in the Azure Security Benchmark compliance dashboard.
AnswerA

This action enables automatic deployment of the vulnerability assessment agent to all VMs in the subscription.

Why this answer

Option A is correct because enabling the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page automatically provisions the integrated Microsoft Defender Vulnerability Management (MDVM) solution to all existing and future Azure VMs without manual agent installation. This is the recommended and native method in Microsoft Defender for Cloud to enable vulnerability assessment at scale, leveraging the built-in Qualys or MDVM scanner that is managed by the platform.

Exam trap

The trap here is that candidates often confuse the 'Vulnerability assessment for machines' component with a separate policy assignment or manual agent installation, not realizing that the correct action is a simple toggle in the Defender for Servers plan settings that automatically handles provisioning and lifecycle management.

How to eliminate wrong answers

Option B is wrong because manually installing the Microsoft Defender Vulnerability Management agent on each VM is not the recommended action; Defender for Cloud can automatically provision the agent via the plan settings, and manual installation is inefficient and error-prone for scaling. Option C is wrong because the 'Configure machines to receive a vulnerability assessment provider' built-in policy assigns a specific provider (e.g., Qualys or a BYOL solution) but does not enable the integrated MDVM solution; it requires additional configuration and does not automatically cover future VMs without policy assignment scope management. Option D is wrong because the Azure Security Benchmark compliance dashboard is a compliance monitoring tool, not a configuration pane for enabling vulnerability assessment; it does not have a setting to enable vulnerability assessment for machines.

14
MCQmedium

A security analyst receives an alert in Microsoft Defender for Cloud about a suspicious process on an Azure VM. The alert indicates a potential credential dumping tool. The analyst needs to see the full command line and parent process of the suspicious process. Which Defender for Cloud feature should the analyst use?

A.Live Response
B.Fileless attack detection
C.Just-In-Time VM access
D.Adaptive application controls
AnswerA

Live Response provides a remote shell to the VM, enabling the analyst to run commands to retrieve process information, including command line and parent process.

Why this answer

Live Response in Microsoft Defender for Cloud provides the analyst with the ability to remotely investigate a live Azure VM. It allows the analyst to run commands, collect forensic artifacts, and view detailed process information, including the full command line and parent process of the suspicious process, which is essential for analyzing a potential credential dumping tool.

Exam trap

The trap here is that candidates often confuse Live Response with other Defender for Cloud features like Fileless attack detection or Adaptive application controls, mistakenly thinking those features provide forensic process investigation capabilities when they are actually focused on detection or prevention, not post-breach analysis.

How to eliminate wrong answers

Option B is wrong because Fileless attack detection is a feature that identifies threats that execute code without writing to disk, such as PowerShell scripts or WMI activity; it does not provide the ability to view the full command line or parent process of a specific alert. Option C is wrong because Just-In-Time VM access is a network security feature that controls inbound traffic to VMs by opening ports only when needed; it is unrelated to investigating process details. Option D is wrong because Adaptive application controls are a whitelisting mechanism that defines which applications are allowed to run on VMs; they do not offer forensic investigation capabilities like viewing command-line arguments or parent processes.

15
MCQhard

A security analyst uses Microsoft Defender for Cloud to monitor Azure SQL Databases. The analyst wants to generate alerts for SQL injection attempts but only for databases that contain sensitive data (e.g., credit card numbers). What is the most efficient way to configure alerting to focus on these databases?

A.Enable a custom alert rule in Microsoft Sentinel that queries Azure SQL audit logs and filters based on database classification tags.
B.Use Data Discovery & Classification in Azure SQL to label sensitive columns, then configure Advanced Threat Protection to alert only when a SQL injection event is detected against a database with those labels.
C.Disable Advanced Threat Protection for all databases except those that contain sensitive data by manually enabling ATP per database.
D.Create a workflow automation in Defender for Cloud that filters SQL injection alerts based on database name.
AnswerB

Correct. SQL ATP can be linked with data classification to focus alerts on databases containing sensitive data, reducing noise.

Why this answer

Option B is correct because it uses Azure SQL's Data Discovery & Classification to label sensitive columns (e.g., credit card numbers) and then configures Advanced Threat Protection (ATP) to alert only when a SQL injection event is detected against databases with those labels. This approach directly ties the alert trigger to the presence of sensitive data, ensuring alerts are generated only for relevant databases without manual per-database management. It is the most efficient method as it leverages built-in classification and ATP integration, avoiding unnecessary overhead or external dependencies.

Exam trap

The trap here is that candidates often assume that manually enabling/disabling ATP per database (Option C) is the simplest approach, overlooking the built-in classification-based filtering that provides automated, scalable, and precise alert targeting without administrative overhead.

How to eliminate wrong answers

Option A is wrong because it relies on Microsoft Sentinel custom alert rules querying Azure SQL audit logs, which introduces latency, additional cost, and complexity compared to using Defender for Cloud's native ATP, and it does not directly integrate with Data Discovery & Classification labels for efficient filtering. Option C is wrong because manually enabling or disabling ATP per database is inefficient and error-prone, especially in large environments, and it does not leverage the automated classification-based filtering that ATP supports. Option D is wrong because creating a workflow automation in Defender for Cloud that filters alerts based on database name is a post-alert workaround that does not prevent alerts from being generated for non-sensitive databases, wasting resources and potentially causing alert fatigue.

16
MCQeasy

A company wants to enable vulnerability scanning for Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. What is the first step?

A.Install the Defender Vulnerability Management extension on each VM.
B.Enable the 'Servers' plan in Defender for Cloud.
C.Configure a vulnerability assessment solution in the VM's security settings.
D.Create a vulnerability assessment rule in Azure Policy.
AnswerB

Enabling the Servers plan for the subscription activates the integrated vulnerability assessment, which auto-deploys the solution.

Why this answer

The first step to enable vulnerability scanning for Azure VMs using the integrated Microsoft Defender Vulnerability Management solution is to enable the 'Servers' plan in Defender for Cloud. This plan activates the Defender for Cloud integration with Microsoft Defender Vulnerability Management, which automatically discovers and assesses vulnerabilities on supported Azure VMs without requiring any additional agent or extension installation. Once the plan is enabled, vulnerability assessment is performed natively by the Defender for Cloud platform.

Exam trap

The trap here is that candidates often assume a separate extension or agent must be installed (Option A) because they are familiar with traditional vulnerability scanning tools, but Microsoft Defender for Cloud's integrated solution is agentless and activated by enabling the 'Servers' plan.

How to eliminate wrong answers

Option A is wrong because the Defender Vulnerability Management extension is not required; the vulnerability scanning is built into the 'Servers' plan and does not need a separate extension to be installed on each VM. Option C is wrong because configuring a vulnerability assessment solution in the VM's security settings is a manual, legacy approach that is not the first step; the integrated solution is automatically enabled when the 'Servers' plan is turned on. Option D is wrong because creating a vulnerability assessment rule in Azure Policy is not the initial step; Azure Policy can be used to enforce compliance, but the prerequisite is enabling the 'Servers' plan in Defender for Cloud.

17
MCQmedium

A company runs SQL Server on Azure Virtual Machines (IaaS). They want to enable Advanced Threat Protection (ATP) for these instances to detect SQL injection attempts. What must they do first?

A.Deploy the Azure Security Center agent on the VM
B.Enable Azure Defender for SQL on the server
C.Enable Azure Defender for Servers
D.Configure SQL Server auditing manually
AnswerB

Azure Defender for SQL includes Advanced Threat Protection for SQL Server instances on VMs. It must be enabled either at the subscription level or per-server to start detecting threats like SQL injection.

Why this answer

Azure Defender for SQL is the specific plan within Microsoft Defender for Cloud that provides Advanced Threat Protection (ATP) for Azure SQL resources, including SQL Server on Azure VMs. Enabling this plan activates threat detection capabilities such as SQL injection alerts, anomalous access patterns, and vulnerability assessments. Without this plan, the VM's SQL Server instance is not monitored by Defender for Cloud's SQL-specific threat detection engine.

Exam trap

The trap here is that candidates confuse Azure Defender for Servers (which protects the OS) with Azure Defender for SQL (which protects the database engine), leading them to select the server-level plan when the question specifically asks for SQL injection detection.

How to eliminate wrong answers

Option A is wrong because the Azure Security Center agent (now the Log Analytics agent or Azure Monitor Agent) is used for collecting OS-level security events and is not required for SQL-specific ATP; Defender for SQL uses SQL-specific telemetry collected via the SQL IaaS Agent extension, not the general VM agent. Option C is wrong because Azure Defender for Servers provides threat detection for the VM's operating system and network layer, but does not include SQL-specific protections like SQL injection detection; that requires the dedicated Azure Defender for SQL plan. Option D is wrong because manual SQL Server auditing is a separate compliance and logging feature that does not enable ATP's real-time threat detection; ATP uses its own built-in detection logic and does not depend on manual auditing configuration.

18
MCQmedium

A company uses Microsoft Defender for Cloud to protect Azure resources. They have an Azure SQL Database containing sensitive customer data. The security team wants to be alerted if a user attempts to perform SQL injection attacks against the database. Which Defender for Cloud plan must be enabled to receive SQL injection alerts?

A.Defender for SQL
B.Defender for Servers
C.Defender for Storage
D.Defender for App Service
AnswerA

This plan specifically includes SQL injection detection for Azure SQL Database.

Why this answer

Defender for SQL is the correct plan because it specifically provides threat detection for Azure SQL Database, including alerts for SQL injection attempts. It analyzes database audit logs and anomalous query patterns to detect SQL injection attacks, which are a primary threat to sensitive data in SQL databases.

Exam trap

The trap here is that candidates may confuse Defender for App Service with protecting the database, but App Service only protects the web application layer, not the SQL database itself, so SQL injection alerts require Defender for SQL.

How to eliminate wrong answers

Option B is wrong because Defender for Servers protects virtual machines and servers, not Azure SQL Database, and does not include SQL injection detection. Option C is wrong because Defender for Storage protects Azure Blob Storage, Azure Files, and Data Lake Storage, not SQL databases, and focuses on anomalies like unusual access patterns or data exfiltration. Option D is wrong because Defender for App Service protects web applications running on App Service, not the underlying database, and its alerts cover web application attacks like DDoS or brute force, not SQL injection against a database.

19
Matchingmedium

Match each Microsoft 365 Defender role to its permission level.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to all admin features

Manage security policies and view reports

Read-only access to security settings and logs

Respond to alerts and manage incidents

Manage compliance features and data loss prevention

Why these pairings

These roles are used to control access within Microsoft 365 Defender.

20
MCQeasy

A security administrator wants to quickly view the overall security posture of all Azure subscriptions under a single management group that are monitored by Microsoft Defender for Cloud. Where in the Azure portal should they navigate?

A.Microsoft Defender for Cloud overview page
B.Azure Monitor
C.Azure Policy Compliance dashboard
D.Azure Advisor
AnswerA

The overview page displays the secure score, number of recommendations, and alerts across all subscriptions in the selected scope.

Why this answer

The Microsoft Defender for Cloud overview page provides a unified dashboard that displays the secure score, regulatory compliance, and security alerts across all subscriptions under a management group. This is the default landing page for assessing the overall security posture, aggregating data from all monitored subscriptions in a single view.

Exam trap

The trap here is that candidates may confuse the Defender for Cloud overview page with Azure Monitor or Azure Advisor, thinking those tools also provide a security posture summary, but only Defender for Cloud's overview page is designed specifically for cross-subscription security posture visibility.

How to eliminate wrong answers

Option B is wrong because Azure Monitor focuses on collecting and analyzing telemetry data (metrics, logs) from resources, not on providing a consolidated security posture score or compliance status across subscriptions. Option C is wrong because the Azure Policy Compliance dashboard shows compliance against Azure Policy definitions, not the comprehensive security posture (including secure score, recommendations, and alerts) that Defender for Cloud offers. Option D is wrong because Azure Advisor provides best-practice recommendations for cost, performance, reliability, and security, but it does not aggregate security posture data across multiple subscriptions under a management group like Defender for Cloud's overview page does.

21
MCQmedium

A security team enables Microsoft Defender for Cloud on an Azure subscription and wants to ensure that all Azure SQL databases have threat detection enabled. Which plan must be enabled to receive alerts for SQL injection attempts?

A.Defender for Servers
B.Defender for SQL
C.Defender for Storage
D.Defender for Key Vault
AnswerB

Defender for SQL includes advanced threat protection for Azure SQL Database, SQL Managed Instance, and provides SQL injection alerts.

Why this answer

Defender for SQL is the specific Microsoft Defender for Cloud plan that provides threat detection for Azure SQL databases, including alerts for SQL injection attacks. It monitors database activity for anomalous patterns, such as SQL injection attempts, and generates security alerts. Without this plan enabled, threat detection for SQL databases remains disabled, even if other Defender plans are active.

Exam trap

The trap here is that candidates may confuse Defender for Servers with general database protection, not realizing that SQL-specific threat detection requires the dedicated Defender for SQL plan, not the server-level plan.

How to eliminate wrong answers

Option A is wrong because Defender for Servers protects virtual machines and their workloads, not Azure SQL databases; it does not include SQL-specific threat detection. Option C is wrong because Defender for Storage monitors storage accounts for threats like malware uploads or anonymous access, not SQL injection attempts. Option D is wrong because Defender for Key Vault focuses on detecting threats against key vaults, such as unauthorized access or secret exfiltration, and has no visibility into SQL database activity.

22
Multi-Selectmedium

A hybrid environment contains Azure VMs and on-premises servers connected through Azure Arc. Which two outcomes can Defender for Cloud provide for these servers? (Choose 2.)

Select 2 answers
A.Security recommendations for misconfigurations and missing updates.
B.Threat detection alerts for protected server workloads.
C.Automatic replacement of all unsupported operating systems.
D.Guaranteed compliance certification for every regulatory standard.
AnswersA, B

Defender for Cloud can assess server posture and recommend remediation.

Why this answer

Defender for Cloud continuously assesses the security posture of Azure VMs and Azure Arc-enabled on-premises servers. It generates security recommendations for misconfigurations (e.g., open management ports, weak encryption) and missing updates (e.g., OS patches, critical CVE fixes) by comparing the server's configuration against built-in security baselines and the Microsoft Security Response Center (MSRC) threat intelligence. This is a core capability of the cloud security posture management (CSPM) module within Defender for Cloud.

Exam trap

The trap here is that candidates confuse 'providing compliance assessments and recommendations' with 'guaranteeing compliance certification,' and they mistakenly think Defender for Cloud can automatically remediate unsupported OS replacements when it only detects and advises on such issues.

23
Matchingmedium

Match each Kusto Query Language (KQL) operator to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters rows based on a condition

Groups rows and calculates aggregates

Selects specific columns

Creates computed columns

Combines rows from two tables

Why these pairings

These are fundamental KQL operators used in Microsoft Sentinel and Defender queries.

24
MCQmedium

A cloud security administrator needs to ensure that all Azure virtual machines have the Microsoft Defender for Cloud agent (Log Analytics agent) installed automatically when they are provisioned. Which configuration should be set in Microsoft Defender for Cloud?

A.Enable auto-provisioning in the Defender for Cloud environment settings.
B.Deploy a custom Azure Policy to install the agent on all VMs.
C.Use an Azure Automation runbook to install the agent on newly created VMs.
D.Enable Azure Update Management on the VMs.
AnswerA

Correct. Auto-provisioning automatically deploys the Log Analytics agent to all supported VMs in the subscription, ensuring continuous coverage.

Why this answer

Option A is correct because Microsoft Defender for Cloud includes an auto-provisioning setting that, when enabled, automatically installs the Log Analytics agent (Microsoft Monitoring Agent) on all existing and newly provisioned Azure virtual machines. This setting is configured in the Defender for Cloud environment settings under 'Auto provisioning' and ensures seamless coverage without manual intervention or additional policy management.

Exam trap

The trap here is that candidates may overthink the solution and choose a custom Azure Policy or automation method, not realizing that Defender for Cloud's built-in auto-provisioning is the simplest and most direct configuration to meet the requirement.

How to eliminate wrong answers

Option B is wrong because deploying a custom Azure Policy to install the agent is unnecessary and less efficient; Defender for Cloud's built-in auto-provisioning already handles this automatically without requiring custom policy definitions. Option C is wrong because using an Azure Automation runbook to install the agent on newly created VMs is a manual, reactive approach that does not scale and lacks the native integration and monitoring capabilities of Defender for Cloud's auto-provisioning. Option D is wrong because enabling Azure Update Management on VMs is focused on patching and update compliance, not on installing the Log Analytics agent for security monitoring, and it does not fulfill the requirement for automatic agent installation at provisioning time.

25
MCQeasy

A security analyst in Microsoft Defender for Cloud is reviewing the Security Alerts for an Azure subscription. The analyst sees an alert titled "Suspicious PowerShell activity detected" on an Azure VM. The analyst needs to view the full command line of the suspicious script and the parent process that launched it. Where in the alert details can the analyst find this information?

A.The "Attack story" tab
B.The "Alert details" pane (general description)
C.The "Take action" tab (recommendations)
D.The "Investigate" tab (with timeline and entities)
AnswerD

The Investigate tab contains a graphical timeline and entity relationships, including a process tree that reveals the full command line and parent process of the suspicious script.

Why this answer

The 'Investigate' tab in Microsoft Defender for Cloud provides a detailed timeline and entity graph that includes the full command line of the suspicious script and the parent process that launched it. This tab is specifically designed for deep forensic analysis, allowing analysts to trace process ancestry and view raw command-line arguments, which are not available in the general alert description or the Attack story tab.

Exam trap

The trap here is that candidates confuse the 'Attack story' tab (which shows a narrative of related alerts) with the 'Investigate' tab (which provides the raw forensic data like command lines and process trees), leading them to select A instead of D.

How to eliminate wrong answers

Option A is wrong because the 'Attack story' tab provides a high-level narrative of the attack chain (e.g., related alerts and entities) but does not expose the raw command line or parent process details. Option B is wrong because the 'Alert details' pane contains only a general description and severity of the alert, not the granular process lineage or script content. Option C is wrong because the 'Take action' tab offers remediation recommendations (e.g., isolate VM, run antivirus) and does not include investigative data like command lines or parent processes.

26
MCQmedium

A security administrator wants to enforce Just-in-Time (JIT) VM access for all Azure virtual machines in a management group to reduce the attack surface. The administrator wants to automatically enable JIT on any new VM and remediate existing non-compliant VMs. What should the administrator configure in Microsoft Defender for Cloud?

A.Manually enable JIT in Defender for Cloud's 'Just-in-time VM access' blade for each subscription.
B.Assign the built-in policy initiative 'Configure just-in-time network access on virtual machines' at the management group level.
C.Configure Azure Policy Guest Configuration to require JIT on virtual machines.
D.Create a custom Azure Policy definition to enforce JIT and assign it to each subscription.
AnswerB

This initiative automatically deploys JIT configuration to VMs, covers new VMs, and remediates non-compliant ones.

Why this answer

The built-in policy initiative 'Configure just-in-time network access on virtual machines' can be assigned at the management group scope to automatically enable JIT on new VMs and remediate existing non-compliant VMs via a DeployIfNotExists effect. This ensures consistent enforcement across all subscriptions under that management group without manual per-subscription configuration.

Exam trap

The trap here is that candidates may think manual configuration (A) or custom policies (D) are needed, but the exam tests knowledge of built-in policy initiatives that can be assigned at a management group for automated, scalable enforcement.

How to eliminate wrong answers

Option A is wrong because manually enabling JIT per subscription does not provide automatic enforcement for new VMs or remediate existing non-compliant VMs at scale; it requires ongoing manual effort. Option C is wrong because Azure Policy Guest Configuration is used for in-guest settings (e.g., OS configuration, compliance) and does not control network-level JIT access on Azure VMs. Option D is wrong because creating a custom Azure Policy definition is unnecessary when a built-in policy initiative already exists for this exact purpose, and assigning it per subscription is less efficient than a single management group assignment.

27
MCQeasy

A security engineer needs to ensure that all Azure subscriptions under a management group are continuously assessed against the Azure Security Benchmark. They want to see the aggregated compliance score at the management group level. What should the engineer do in Microsoft Defender for Cloud?

A.Assign the Azure Security Benchmark initiative to each subscription individually and use the secure score dashboard.
B.Assign the Azure Security Benchmark initiative to the management group.
C.Enable the Regulatory Compliance dashboard and select the Azure Security Benchmark from the built-in standards list.
D.Configure Secure Score policies at the management group and enable Azure Security Benchmark.
AnswerB

When assigned to a management group, the initiative applies to all subscriptions under it, and the Regulatory Compliance dashboard shows aggregated compliance.

Why this answer

Assigning the Azure Security Benchmark initiative to the management group ensures that all subscriptions under that management group are continuously assessed against the benchmark. The aggregated compliance score is then visible at the management group level in the Regulatory Compliance dashboard, providing a single view of compliance across the entire hierarchy.

Exam trap

The trap here is that candidates often think they need to enable the Regulatory Compliance dashboard (Option C) or configure Secure Score policies (Option D) to see aggregated scores, but the critical step is assigning the initiative at the correct scope—the management group—to enable both continuous assessment and aggregation.

How to eliminate wrong answers

Option A is wrong because assigning the initiative to each subscription individually does not provide an aggregated compliance score at the management group level; it only shows per-subscription scores. Option C is wrong because enabling the Regulatory Compliance dashboard and selecting the Azure Security Benchmark from the built-in standards list only enables the dashboard view, it does not assign the initiative to the management group or subscriptions, so no continuous assessment occurs. Option D is wrong because there is no 'Secure Score policies' configuration at the management group; secure score is derived from the assigned initiatives, and the Azure Security Benchmark must be assigned as an initiative, not just 'enabled' as a policy.

28
MCQmedium

A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?

A.Azure Policy's DeployIfNotExists effect
B.Just-In-Time VM access
C.Adaptive network hardening
D.File integrity monitoring
AnswerA

Correct: DeployIfNotExists automatically deploys required configurations when a resource is non-compliant, enabling auto-remediation.

Why this answer

Azure Policy's DeployIfNotExists effect is the correct feature because it automatically remediates non-compliant Azure resources by deploying missing configurations, such as enabling diagnostic settings, when the resource is created or updated. This effect evaluates resources against a policy definition and, if the specified configuration does not exist, triggers a deployment task to apply the required settings. In Defender for Cloud, this is used to enforce security baselines by automatically correcting non-compliant resources without manual intervention.

Exam trap

The trap here is that candidates may confuse 'automatic remediation' with security controls like JIT or network hardening, but the question specifically asks about deploying missing configurations, which is a policy-based remediation feature, not a threat mitigation control.

How to eliminate wrong answers

Option B is wrong because Just-In-Time (JIT) VM access is a Defender for Cloud feature that reduces the attack surface by controlling network access to VMs, not for deploying missing configurations like diagnostics. Option C is wrong because Adaptive network hardening uses machine learning to recommend and enforce network security group rules based on traffic patterns, not for deploying missing resource configurations. Option D is wrong because File integrity monitoring (FIM) tracks changes to files and registries on VMs to detect unauthorized modifications, not for deploying missing configurations like enabling diagnostics.

29
MCQeasy

A security administrator in Microsoft Defender for Cloud notices that the Secure Score is lower than expected. Which action would most effectively improve the Secure Score by reducing the attack surface?

A.Enable Just-in-Time (JIT) VM access for all virtual machines.
B.Configure auditing on all SQL databases.
C.Disable all low-severity security alerts in the subscription.
D.Install EDR agents on all on-premises servers.
AnswerA

JIT is a built-in recommendation in Defender for Cloud's Secure Score controls; enabling it improves the score and reduces attack surface.

Why this answer

Enabling Just-in-Time (JIT) VM access reduces the attack surface by locking down inbound traffic to Azure VMs, allowing only authorized users to open specific ports (e.g., RDP 3389, SSH 22) for a limited time. This directly improves the Secure Score because Microsoft Defender for Cloud includes JIT recommendations as a high-impact security control, and implementing it reduces the number of exposed management ports that attackers can target.

Exam trap

The trap here is that candidates often confuse 'reducing the attack surface' with 'improving detection' (e.g., enabling auditing or installing EDR agents), but the Secure Score's attack surface reduction category specifically rewards proactive controls like JIT that limit exposure, not reactive monitoring or alert management.

How to eliminate wrong answers

Option B is wrong because configuring auditing on SQL databases improves compliance and threat detection but does not directly reduce the attack surface; it is a monitoring control, not a preventive one that lowers the Secure Score's attack surface reduction category. Option C is wrong because disabling low-severity security alerts does not improve the Secure Score; it only suppresses notifications and may hide real threats, while the Secure Score is based on implementing security recommendations, not alert suppression. Option D is wrong because installing EDR agents on on-premises servers enhances detection and response but does not directly reduce the attack surface in the context of Microsoft Defender for Cloud's Secure Score; the score focuses on cloud-specific controls like JIT, adaptive application controls, and vulnerability assessments.

30
MCQhard

A security administrator wants to ensure that all Azure virtual machines have Microsoft Defender for Cloud's vulnerability assessment (VA) solution enabled automatically. They need to deploy the VA solution to new and existing VMs without manual intervention. Which method should they use?

A.Configure 'Vulnerability assessment for machines' in Defender for Cloud settings
B.Assign an Azure Policy with DeployIfNotExists effect for the VA solution
C.Enable the Defender for Servers plan on the subscription
D.Run a PowerShell script to install the VA solution on all VMs
AnswerB

This policy automatically deploys the VA solution (e.g., Qualys or integrated VA) to VMs that do not have it, ensuring all VMs are covered.

Why this answer

Option B is correct because Azure Policy with a DeployIfNotExists effect can automatically deploy the Microsoft Defender for Cloud integrated vulnerability assessment (VA) solution (Qualys or Microsoft) to both new and existing Azure VMs without manual intervention. This policy evaluates VMs that do not have the VA extension installed and triggers a remediation task to deploy it, ensuring continuous compliance across the subscription.

Exam trap

The trap here is that candidates often confuse enabling the Defender for Servers plan (which only activates the feature) with the automatic deployment mechanism provided by Azure Policy, leading them to select option C instead of the correct policy-based approach.

How to eliminate wrong answers

Option A is wrong because configuring 'Vulnerability assessment for machines' in Defender for Cloud settings only enables the VA solution at the plan level but does not automatically deploy the agent to existing or new VMs; it requires manual installation or a separate deployment mechanism. Option C is wrong because enabling the Defender for Servers plan on the subscription activates threat detection and security alerts but does not automatically deploy the VA solution; it only makes the VA feature available for manual enablement. Option D is wrong because running a PowerShell script to install the VA solution on all VMs is a one-time manual action that does not provide ongoing automatic deployment for new VMs and lacks the compliance enforcement and remediation capabilities of Azure Policy.

31
MCQeasy

A company uses Microsoft Defender for Cloud. They need to continuously assess the compliance of their Azure resources against the CIS benchmark. Which feature should they enable?

A.Regulatory compliance dashboard
B.Secure Score
C.Azure Policy
D.Just-In-Time VM access
AnswerA

Correct. The Regulatory compliance dashboard includes built-in initiatives for standards like CIS, allowing continuous compliance monitoring.

Why this answer

The Regulatory Compliance dashboard in Defender for Cloud provides built-in compliance standards such as CIS, SOC 2, and Azure CIS. By assigning the appropriate initiative, the dashboard continuously scans resources and reports compliance status. Secure Score is an aggregated risk score, not a compliance standard.

Azure Policy is the underlying service used to enforce policies, but the feature that presents compliance is the dashboard. Just-in-Time VM access is a security control, not a compliance assessment tool.

32
MCQeasy

A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?

A.Regulatory compliance dashboard
B.Secure score
C.Azure Policy
D.Workload protections
AnswerA

This dashboard allows you to track compliance against built-in standards like CIS, and you can assign the CIS initiative to your subscriptions.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides pre-built assessments and continuous monitoring against specific compliance standards, including the CIS benchmark. It automatically evaluates Azure resources against CIS controls and displays compliance status, making it the correct feature for this requirement.

Exam trap

The trap here is that candidates often confuse Secure score (which measures overall security hygiene) with the Regulatory compliance dashboard (which measures adherence to specific standards like CIS), leading them to select Secure score when the question explicitly asks for compliance against a benchmark.

How to eliminate wrong answers

Option B is wrong because Secure score measures overall security posture based on implemented security controls, not specific compliance with a regulatory standard like CIS. Option C is wrong because Azure Policy is a service for creating, assigning, and managing policies that enforce rules on resources, but it does not natively include pre-built CIS benchmark assessments; the Regulatory compliance dashboard leverages Azure Policy initiatives but provides the compliance-specific dashboard. Option D is wrong because Workload protections refer to advanced threat detection capabilities for workloads (e.g., servers, databases), not compliance assessment against benchmarks like CIS.

33
MCQmedium

A company uses Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. They want to automatically remediate non-compliant resources when a policy violation is detected—for example, enabling encryption on a storage account that has it disabled. Which feature should they configure?

A.Regulatory compliance dashboard
B.Azure Policy's DeployIfNotExists effect
C.Adaptive network hardening
D.Just-In-Time VM access
AnswerB

DeployIfNotExists policies automatically deploy the required configuration (e.g., enable encryption) when a non-compliant resource is created or updated.

Why this answer

Azure Policy's DeployIfNotExists effect is the correct feature because it automatically deploys a resource configuration (such as enabling encryption on a storage account) when a policy evaluation detects non-compliance. This effect runs during policy evaluation and remediation tasks, ensuring that the resource is brought into compliance without manual intervention. It is specifically designed for automated remediation of non-compliant resources in Azure, aligning with the requirement to fix violations like missing encryption.

Exam trap

The trap here is that candidates may confuse the Regulatory compliance dashboard (a monitoring tool) with an automated remediation feature, overlooking that Azure Policy's DeployIfNotExists effect is the actual mechanism for enforcing and fixing compliance violations.

How to eliminate wrong answers

Option A is wrong because the Regulatory compliance dashboard is a reporting and monitoring tool that displays compliance status against standards (e.g., CIS, NIST), but it does not perform automated remediation of non-compliant resources. Option C is wrong because Adaptive network hardening provides recommendations to tighten network security group rules based on traffic patterns, not automated remediation of policy violations like encryption settings. Option D is wrong because Just-In-Time VM access reduces attack surface by controlling inbound traffic to VMs on demand, but it does not address policy compliance or resource configuration remediation.

34
Drag & Dropmedium

Order the steps to perform a threat hunting exercise using Microsoft 365 Defender advanced hunting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Threat hunting starts with a hypothesis, then querying, analyzing, and documenting results.

35
MCQmedium

A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?

A.Security policies
B.Azure Policy Guest Configuration
C.Just-In-Time VM access
D.Adaptive application controls
AnswerB

Correct: Guest Configuration can audit and deploy configurations inside VMs, automating baseline enforcement.

Why this answer

Azure Policy Guest Configuration is the correct feature because it extends Azure Policy to audit and enforce configurations inside the operating system of Azure VMs, including security baseline settings like default password policies. Unlike host-level policies, Guest Configuration can evaluate and remediate settings within the guest OS, making it the appropriate tool for this requirement.

Exam trap

The trap here is that candidates often confuse Azure Policy (which applies to Azure resource properties) with Guest Configuration (which applies to settings inside the VM guest OS), leading them to incorrectly select Security policies or Adaptive application controls.

How to eliminate wrong answers

Option A is wrong because Security policies in Defender for Cloud define security standards and compliance rules at the subscription or resource level, but they do not audit or enforce configurations inside the VM's operating system. Option C is wrong because Just-In-Time VM access controls network access to management ports (e.g., RDP, SSH) and has no capability to audit or enforce OS-level security baselines. Option D is wrong because Adaptive application controls create allowlists for applications running on VMs to prevent malware, but they do not audit or enforce configuration baselines like password policies.

36
MCQmedium

Match each Microsoft Defender for Cloud feature on the left with its primary purpose on the right.

A.Just-In-Time VM Access → Provides time-limited access to management ports via NSG rules; Adaptive Application Controls → Allowlists known safe applications to run on VMs; File Integrity Monitoring → Detects changes to sensitive registry keys and files; Regulatory Compliance Dashboard → Assesses Azure resources against industry standards
B.The first and second mappings are reversed; the remaining mappings are unchanged.
C.All features map to the same monitoring purpose.
D.The compliance and access-control mappings are swapped.
AnswerA

This mapping pairs each feature with its primary purpose.

Why this answer

Option A is correct because it accurately matches each Microsoft Defender for Cloud feature to its primary purpose. Just-In-Time (JIT) VM Access reduces the attack surface by locking down management ports (e.g., RDP 3389, SSH 22) and granting time-limited access via NSG rules only when requested. Adaptive Application Controls uses machine learning to create an allowlist of known safe applications, blocking unknown executables on VMs.

File Integrity Monitoring (FIM) tracks changes to sensitive registry keys, files, and certificates, alerting on unauthorized modifications. The Regulatory Compliance Dashboard continuously assesses Azure resources against built-in standards like CIS, NIST, and Azure Security Benchmark, providing a compliance score and recommendations.

Exam trap

The trap here is that candidates often confuse Just-In-Time VM Access with Adaptive Application Controls because both reduce attack surface, but JIT controls network-level access to management ports while Adaptive Application Controls controls which applications can execute at the OS level.

How to eliminate wrong answers

Option B is wrong because it claims the first two mappings are reversed, but JIT VM Access and Adaptive Application Controls are correctly paired in Option A; reversing them would incorrectly assign time-limited port access to application allowlisting and vice versa, which misrepresents their distinct security functions. Option C is wrong because it states all features map to the same monitoring purpose, which is false—each feature serves a unique purpose: JIT controls network access, Adaptive Application Controls controls software execution, FIM monitors file integrity, and the dashboard assesses compliance; they are not interchangeable. Option D is wrong because it swaps the compliance and access-control mappings, but the Regulatory Compliance Dashboard is correctly matched with assessing industry standards, and JIT VM Access is correctly matched with time-limited management port access; swapping them would inaccurately assign compliance assessment to JIT and access control to the dashboard.

37
MCQhard

A company has multiple Azure subscriptions managed by Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to ensure that all Azure SQL Servers have Advanced Data Security (ADS) enabled, including Vulnerability Assessment. They decide to use Azure Policy to enforce this at scale. Which built-in policy initiative should they assign to achieve this?

A.Enable Azure Monitor for VMs
B.Azure Security Benchmark
C.Deploy Diagnostics Settings for SQL Databases
D.Enable Advanced Threat Protection for SQL servers
AnswerB

The Azure Security Benchmark initiative includes policies to enable Advanced Data Security and Vulnerability Assessment on SQL servers.

Why this answer

The Azure Security Benchmark initiative includes built-in policies to enforce Advanced Data Security (ADS) and Vulnerability Assessment on Azure SQL Servers. Assigning this initiative at scale ensures compliance with security best practices across all subscriptions, as it contains the specific policy effect to enable ADS and VA automatically.

Exam trap

The trap here is that candidates often confuse a single policy (like 'Enable Advanced Threat Protection for SQL servers') with a policy initiative that bundles multiple related policies, leading them to select option D instead of the broader Azure Security Benchmark initiative that covers both ADS and Vulnerability Assessment enforcement.

How to eliminate wrong answers

Option A is wrong because 'Enable Azure Monitor for VMs' is an initiative focused on deploying the Log Analytics agent and VM insights, not on SQL Server security configurations. Option C is wrong because 'Deploy Diagnostics Settings for SQL Databases' only configures diagnostic logging to a Log Analytics workspace, but does not enable Advanced Data Security or Vulnerability Assessment. Option D is wrong because 'Enable Advanced Threat Protection for SQL servers' is a single policy, not a policy initiative; the question asks for a built-in policy initiative that enforces both ADS and Vulnerability Assessment at scale.

38
MCQeasy

A security analyst reviews Microsoft Defender for Cloud recommendations for an Azure virtual machine. The VM has a recommendation titled 'Install endpoint protection solution on virtual machines'. The analyst clicks on the recommendation and sees affected resources. Which of the following best describes the purpose of this recommendation in the context of Defender for Cloud?

A.It identifies VMs that have an open network security group inbound rule that should be closed.
B.It suggests enabling Azure Firewall on the virtual network to protect the VM from external threats.
C.It recommends enabling disk encryption for the VM's OS and data disks.
D.It advises deploying a supported endpoint protection solution, such as Microsoft Defender Antivirus, to protect the VM from malware and other threats.
AnswerD

Correct. The recommendation prompts installation of endpoint protection software. Defender for Cloud integrates with Microsoft Defender Antivirus and supports partner solutions.

Why this answer

Option D is correct because the recommendation 'Install endpoint protection solution on virtual machines' in Microsoft Defender for Cloud specifically identifies VMs that lack a supported endpoint protection solution (e.g., Microsoft Defender Antivirus, Trend Micro, Symantec). Its purpose is to ensure that VMs are protected against malware, viruses, and other threats by deploying an endpoint protection solution, which is a core security control in the cloud security posture management (CSPM) framework.

Exam trap

The trap here is that candidates confuse 'endpoint protection' with network-level controls (like NSG rules or Azure Firewall) or data-at-rest protections (like disk encryption), leading them to select options A, B, or C instead of recognizing the specific focus on malware protection at the OS level.

How to eliminate wrong answers

Option A is wrong because it describes a recommendation related to network security groups (NSGs) and open inbound rules, which is a separate recommendation (e.g., 'All network ports should be restricted') and not about endpoint protection. Option B is wrong because it suggests enabling Azure Firewall, which is a network-level security service, not an endpoint protection solution; Defender for Cloud has distinct recommendations for network security. Option C is wrong because it refers to disk encryption (e.g., Azure Disk Encryption), which protects data at rest, not endpoint protection against malware; these are different security controls in Defender for Cloud.

39
MCQmedium

A security team uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that a VM is generating alerts for unusual outbound connections. The team wants to use a Defender for Cloud feature that learns the VM's typical network behavior and provides recommendations to tighten network security group rules, while also alerting on suspicious deviations. Which feature should they enable?

A.Adaptive network hardening
B.Just-In-Time VM access
C.File integrity monitoring
D.Vulnerability scanning
AnswerA

Adaptive network hardening uses learning to lock down NSG rules and can alert on suspicious deviations from learned patterns.

Why this answer

Adaptive network hardening (ANH) is the correct feature because it uses machine learning to learn a VM's typical traffic patterns (including outbound connections), then analyzes the current Network Security Group (NSG) rules against those learned patterns. It provides recommendations to tighten NSG rules to allow only the traffic that is actually used, and it generates security alerts when it detects deviations from the learned baseline, such as unusual outbound connections.

Exam trap

The trap here is that candidates often confuse Just-In-Time VM access (which also deals with network security) with adaptive network hardening, but JIT only manages inbound port access, not outbound traffic analysis or rule tightening based on learned behavior.

How to eliminate wrong answers

Option B (Just-In-Time VM access) is wrong because it focuses on reducing the attack surface by locking down inbound RDP/SSH ports and granting temporary access, not on learning outbound network behavior or tightening NSG rules based on traffic patterns. Option C (File integrity monitoring) is wrong because it monitors changes to critical files, registries, and software, not network traffic or NSG rule recommendations. Option D (Vulnerability scanning) is wrong because it identifies missing patches and misconfigurations in the OS and applications, not network behavior or NSG rule hardening.

40
MCQeasy

A security administrator needs to view a list of all virtual machines that have a missing critical security update. Which Microsoft Defender for Cloud dashboard should they use?

A.Secure Score
B.Regulatory Compliance
C.Inventory
D.Recommendations
AnswerD

Recommendations includes 'System updates should be installed on your machines' which lists all VMs missing critical updates.

Why this answer

The Recommendations dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations, including missing critical security updates for virtual machines. This dashboard aggregates findings from vulnerability assessments and update management, allowing administrators to identify and remediate specific missing patches across their VM fleet.

Exam trap

The trap here is that candidates confuse the Inventory dashboard (which lists all resources) with the Recommendations dashboard (which provides actionable security findings), leading them to select Inventory instead of the correct Recommendations option.

How to eliminate wrong answers

Option A is wrong because Secure Score measures overall security posture based on compliance with recommendations, but does not directly list VMs with missing updates. Option B is wrong because Regulatory Compliance focuses on adherence to compliance standards (e.g., ISO 27001, NIST) and does not surface specific missing security updates. Option C is wrong because Inventory provides a list of all resources (including VMs) but lacks the filtering and recommendation context needed to identify missing critical updates.

41
MCQmedium

A security operations team has Microsoft Defender for Cloud enabled on all subscriptions and wants to forward security alerts and recommendations to Microsoft Sentinel for analysis and automation. Which configuration should the team implement to enable this integration?

A.In Microsoft Sentinel, add the 'Microsoft Defender for Cloud' data connector and select the subscriptions to stream alerts and recommendations.
B.In Microsoft Defender for Cloud, create a continuous export to a Log Analytics workspace that is already connected to Sentinel.
C.Create an Azure Policy that deploys Azure Monitor Agent to all VMs and configures data collection rules to send data to Sentinel.
D.Enable the 'Enable integration with Microsoft Sentinel' option in the Defender for Cloud pricing & settings blade.
AnswerA

This is the correct integration path: enabling the connector in Sentinel to ingest security events from Defender for Cloud.

Why this answer

Option A is correct because the 'Microsoft Defender for Cloud' data connector in Microsoft Sentinel is the native integration point that allows you to stream security alerts and recommendations from Defender for Cloud into Sentinel. By adding this connector and selecting the subscriptions, you enable a direct, bi-directional connection that ingests Defender for Cloud data into Sentinel's Log Analytics workspace for analysis and automation.

Exam trap

The trap here is that candidates confuse the direction of integration, thinking they must configure it from Defender for Cloud (Option D) or use continuous export (Option B), when in fact the integration is initiated from Microsoft Sentinel by adding the data connector.

How to eliminate wrong answers

Option B is wrong because continuous export in Defender for Cloud exports data to a Log Analytics workspace, but it does not automatically connect to Sentinel; you must still use the Sentinel data connector to ingest that data. Option C is wrong because Azure Policy deploying Azure Monitor Agent to VMs and configuring data collection rules sends VM-level telemetry, not Defender for Cloud security alerts and recommendations. Option D is wrong because the 'Enable integration with Microsoft Sentinel' option in Defender for Cloud's pricing & settings blade does not exist; the integration is configured from within Sentinel, not Defender for Cloud.

42
MCQmedium

An organization wants to enable vulnerability assessment for all Azure virtual machines, including future ones, using the integrated Qualys or Microsoft Defender Vulnerability Management solution. What is the recommended approach in Microsoft Defender for Cloud?

A.Enable the Defender for Servers plan and configure auto-provisioning of the vulnerability assessment solution.
B.Manually install the Log Analytics agent and then configure vulnerability assessment on each VM.
C.Use Azure Policy to assign the built-in initiative that deploys the vulnerability assessment solution and associates it with VMs.
D.Enable Azure Security Center's free tier and manually download the vulnerability assessment tool.
AnswerA

This enables built-in VA and automatically deploys it to all supported VMs.

Why this answer

The recommended approach is to enable the Defender for Servers plan, which automatically provisions the integrated vulnerability assessment solution (Qualys or Microsoft Defender Vulnerability Management) on all existing and future Azure VMs. This ensures continuous scanning without manual intervention, leveraging auto-provisioning to deploy the necessary extension.

Exam trap

The trap here is that candidates often confuse Azure Policy with the primary deployment mechanism, but the correct approach requires enabling the Defender for Servers plan first, as the policy initiative is dependent on that plan being active.

How to eliminate wrong answers

Option B is wrong because manually installing the Log Analytics agent and configuring vulnerability assessment on each VM is not scalable and does not leverage the automated, integrated solution provided by Defender for Cloud. Option C is wrong because while Azure Policy can enforce compliance, the built-in initiative for vulnerability assessment requires the Defender for Servers plan to be enabled first; it is not a standalone deployment method. Option D is wrong because the free tier of Azure Security Center does not include vulnerability assessment capabilities; it only provides basic security recommendations without the integrated scanning solution.

43
MCQmedium

A security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to receive an alert whenever a new local user is added to the Administrators group on any Azure Windows virtual machine. Which data source must be configured in Defender for Cloud to capture this event?

A.Windows Security Events (Event ID 4732)
B.Windows Defender Antivirus logs
C.Azure Activity Logs
D.VM Insights
AnswerA

Event 4732 logs when a member is added to a security-enabled local group. Defender for Cloud can collect security events and alert on this specific event.

Why this answer

Option A is correct because the addition of a user to the Administrators group on a Windows system generates Windows Security Event ID 4732. Defender for Cloud with Defender for Servers must have the 'Windows Security Events' data source configured to collect these audit events, which then triggers a security alert for the new local administrator.

Exam trap

The trap here is that candidates often confuse Azure Activity Logs (control-plane) with guest OS security events, assuming any Azure-level log will capture local user changes, but only the Windows Security Events data source collects the necessary Event ID 4732 from within the VM.

How to eliminate wrong answers

Option B is wrong because Windows Defender Antivirus logs contain malware detection and protection events, not user or group membership changes. Option C is wrong because Azure Activity Logs record control-plane operations on Azure resources (e.g., VM creation or deletion), not guest OS-level events like local group modifications. Option D is wrong because VM Insights collects performance metrics, process inventory, and network connections via the Log Analytics agent, but it does not natively capture Windows Security Event ID 4732 unless the Windows Security Events data source is explicitly configured.

44
MCQmedium

A company has enabled Microsoft Defender for Cloud on their subscription containing Azure SQL databases. They receive an alert about a potential SQL injection attack. The analyst wants to see the actual query that was executed. Where can the analyst find the query details associated with the alert?

A.In the alert's entity tab
B.By opening the SQL database's threat detection logs
C.In the Azure Activity Log
D.In the alert's diagnostic data
AnswerA

The entity tab within an alert details page shows the related entities, including the SQL query that was flagged.

Why this answer

Option A is correct because when Microsoft Defender for Cloud detects a SQL injection attack, the alert details include an 'Entities' tab that contains the actual SQL query that was executed. This tab provides the raw query text, which is essential for the analyst to understand the exact payload used in the attack and to assess the impact on the database.

Exam trap

The trap here is that candidates often confuse the Azure Activity Log (control-plane) with data-plane logs, or assume that threat detection logs are the primary source for query details, when in fact the alert's entity tab is the direct, curated source for the executed query.

How to eliminate wrong answers

Option B is wrong because SQL database's threat detection logs (e.g., Azure SQL Auditing or Advanced Threat Protection logs) may show query patterns but do not directly expose the specific query associated with a Defender for Cloud alert; the alert itself surfaces the query in its entities. Option C is wrong because the Azure Activity Log records control-plane operations (e.g., resource creation, policy changes) and does not capture data-plane events like SQL queries executed against a database. Option D is wrong because the alert's diagnostic data typically includes metadata such as severity, timestamp, and affected resources, but not the actual SQL query text; that is stored in the entities tab.

45
MCQmedium

An organization has enabled Microsoft Defender for Cloud's enhanced security features. They want to ensure that newly provisioned Azure virtual machines automatically have the built-in vulnerability assessment solution installed. Which configuration should they enable in Defender for Cloud?

A.Auto-provisioning of the Log Analytics agent
B.Auto-provisioning of the vulnerability assessment solution
C.Automatic provisioning of all security agents
D.Azure Policy assignment for Update Management
AnswerB

This setting automatically deploys a vulnerability assessment agent (e.g., Qualys or Microsoft built-in) to new VMs, ensuring continuous scanning.

Why this answer

Option B is correct because Microsoft Defender for Cloud's enhanced security features include a dedicated auto-provisioning setting specifically for the built-in vulnerability assessment solution (powered by Qualys). When enabled, this setting automatically deploys the vulnerability assessment extension to all new and existing Azure VMs, ensuring continuous vulnerability scanning without manual intervention.

Exam trap

The trap here is that candidates often confuse the Log Analytics agent's auto-provisioning (which enables data collection for security alerts) with the separate vulnerability assessment auto-provisioning, assuming that log collection alone covers vulnerability scanning, when in fact a dedicated extension is required for that purpose.

How to eliminate wrong answers

Option A is wrong because auto-provisioning of the Log Analytics agent collects security events and telemetry for monitoring, but it does not install the vulnerability assessment solution; the vulnerability scanner is a separate extension. Option C is wrong because 'automatic provisioning of all security agents' is not a specific configuration in Defender for Cloud; the platform offers individual auto-provisioning toggles for specific agents (e.g., Log Analytics, vulnerability assessment, endpoint protection), not a single 'all agents' option. Option D is wrong because Azure Policy assignment for Update Management manages OS patch compliance via Azure Automation Update Management, not the installation of a vulnerability assessment solution.

46
MCQmedium

A company uses Microsoft Defender for Cloud to manage security posture. The compliance team needs to continuously monitor resources against the CIS Microsoft Azure Foundations Benchmark and receive a consolidated score across all subscriptions. Which Defender for Cloud feature should they use?

A.Secure Score
B.Regulatory compliance dashboard
C.Adaptive application controls
D.File Integrity Monitoring (FIM)
AnswerB

The regulatory compliance dashboard tracks compliance against selected standards (e.g., CIS, ISO) by evaluating resources against the corresponding Azure Policy initiatives.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides continuous monitoring of resources against specific compliance standards, such as the CIS Microsoft Azure Foundations Benchmark, and aggregates a consolidated score across all subscriptions. This feature maps Azure Policy initiatives to compliance controls, showing pass/fail status and a compliance score, which directly meets the compliance team's requirement for ongoing assessment and a unified score.

Exam trap

The trap here is that candidates often confuse Secure Score with regulatory compliance scoring, but Secure Score is a general posture metric based on Microsoft's security recommendations, not a dedicated compliance benchmark score like CIS.

How to eliminate wrong answers

Option A is wrong because Secure Score measures an organization's overall security posture based on security recommendations, not specific compliance with the CIS Microsoft Azure Foundations Benchmark; it does not provide a consolidated compliance score for a particular regulatory standard. Option C is wrong because Adaptive application controls are a workload protection feature that uses machine learning to define allowlists for running applications on Azure VMs, unrelated to compliance monitoring or scoring. Option D is wrong because File Integrity Monitoring (FIM) examines changes to files and registries on VMs for security incidents, not for assessing compliance against a benchmark like CIS.

47
Drag & Dropmedium

Order the steps to create a Microsoft Sentinel automation rule that automatically closes low-severity incidents.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Automation rules are created in the Automation blade, conditions define when to trigger, and actions define what to do.

48
MCQmedium

A security team wants to enable advanced threat detection for all Azure SQL databases across multiple subscriptions. They want to receive alerts for SQL injection attempts and anomalous activities. Which action should they take in Microsoft Defender for Cloud?

A.Enable the Microsoft Defender for Servers plan on each subscription.
B.Enable the Microsoft Defender for SQL plan at the subscription level.
C.Configure SQL Auditing and Threat Detection on each SQL server individually.
D.Create an Azure Policy to deploy Azure SQL Firewall rules.
AnswerB

When enabled at the subscription level, all SQL databases in that subscription are protected, and alerts are generated for threats like SQL injection.

Why this answer

Microsoft Defender for SQL provides advanced threat detection for Azure SQL databases, including alerts for SQL injection attempts and anomalous activities. Enabling the plan at the subscription level automatically protects all existing and future SQL databases within that subscription, ensuring centralized management and compliance.

Exam trap

The trap here is that candidates often confuse the need for per-server configuration (Option C) with the centralized subscription-level enablement, or they mistakenly think that server-level security controls like firewalls (Option D) or server-specific plans (Option A) can provide the same threat detection capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Servers is designed to protect virtual machines and servers, not Azure SQL databases; it does not include SQL-specific threat detection capabilities. Option C is wrong because configuring SQL Auditing and Threat Detection on each SQL server individually is a legacy, manual approach that lacks the centralized policy enforcement and advanced analytics provided by Microsoft Defender for SQL at the subscription level. Option D is wrong because creating an Azure Policy to deploy Azure SQL Firewall rules only manages network access controls and does not enable threat detection or alerting for SQL injection or anomalous activities.

49
MCQmedium

A security administrator wants to ensure that all existing and future Azure virtual machines have Microsoft Defender for Cloud's built-in vulnerability assessment solution (Qualys or Microsoft) installed without manual intervention. Which feature should the administrator configure?

A.Continuous export of security findings to Log Analytics
B.Auto-provisioning of the vulnerability assessment solution
C.Just-in-time VM access
D.Regulatory compliance dashboard
AnswerB

Auto-provisioning automatically installs the VA agent (Microsoft or Qualys) to all existing and new VMs, ensuring continuous coverage.

Why this answer

Auto-provisioning of the vulnerability assessment solution ensures that Microsoft Defender for Cloud automatically installs either the Qualys or Microsoft built-in vulnerability assessment extension on all existing and future Azure VMs without manual intervention. This feature is specifically designed to enable continuous vulnerability scanning by deploying the agent at scale, covering both new and existing resources as they are provisioned or discovered.

Exam trap

The trap here is that candidates often confuse 'continuous export' (which sends data after the agent is installed) with 'auto-provisioning' (which actually installs the agent), leading them to select Option A thinking it automates the deployment process.

How to eliminate wrong answers

Option A is wrong because continuous export of security findings to Log Analytics is a data export feature that sends vulnerability scan results to a Log Analytics workspace for centralized analysis or integration, but it does not install or deploy the vulnerability assessment solution itself. Option C is wrong because Just-in-time VM access is a network security feature that controls inbound traffic to VMs by opening ports only when needed, and it has no role in deploying vulnerability assessment agents. Option D is wrong because the Regulatory compliance dashboard provides a view of compliance posture against standards like CIS or NIST, but it does not automate the installation of vulnerability assessment software.

50
MCQmedium

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans (e.g., Defender for Servers, Defender for SQL) enabled on a management group. The security team wants to automatically enable these plans on new Azure subscriptions that are created under this management group. Which approach is the most efficient and scalable?

A.Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.
B.Manually enable the plans for each new subscription when it is created.
C.Create an Azure Automation runbook that runs on a schedule and enables plans for all subscriptions under the management group.
D.Use Azure Blueprints to define the Defender for Cloud settings in the blueprint definition.
AnswerA

Azure Policy can be assigned to a management group, automatically applying the desired Defender for Cloud configuration to all existing and new subscriptions within that group.

Why this answer

Azure Policy can be assigned at the management group scope to enforce the 'Standard' pricing tier for Microsoft Defender for Cloud on all current and future subscriptions. This ensures that when a new subscription is created under that management group, the policy automatically evaluates and remediates the subscription to enable the required Defender plans, providing a fully automated, scalable, and governance-driven approach without manual intervention or custom scripting.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which apply settings only at deployment time) with Azure Policy (which provides continuous enforcement and automatic remediation), leading them to choose the Blueprints option despite its lack of ongoing compliance and scalability for new subscriptions.

How to eliminate wrong answers

Option B is wrong because manually enabling plans for each new subscription is not scalable, introduces human error, and violates the principle of automated governance at scale. Option C is wrong because an Azure Automation runbook running on a schedule introduces latency, requires custom code and credential management, and does not provide real-time enforcement or compliance reporting like Azure Policy does. Option D is wrong because Azure Blueprints are deprecated in favor of deployment stacks and do not provide continuous enforcement of Defender for Cloud pricing tiers; they only apply settings at deployment time and do not automatically remediate drift or new subscriptions after the blueprint assignment.

51
MCQeasy

A security analyst receives an alert in Microsoft Defender for Cloud that an Azure virtual machine is running a process with a known indicator of compromise (IOC). The analyst wants to investigate the process details, including the command line and parent process. Which feature should the analyst use to gather this information from the VM?

A.Vulnerability assessment
B.Live response
C.Inventory of resources
D.Secure score
AnswerB

Live response enables remote investigation of a VM, including process listing and command-line analysis.

Why this answer

Live Response in Microsoft Defender for Cloud provides a remote shell connection to the VM, allowing the analyst to run commands to inspect running processes, command-line arguments, and parent process details in real time. This is the correct feature for deep forensic investigation of an active IOC on the VM.

Exam trap

The trap here is that candidates confuse Live Response with Vulnerability Assessment or Inventory, thinking those can provide process-level details, but only Live Response offers interactive, real-time forensic access to the VM's operating system.

How to eliminate wrong answers

Option A is wrong because Vulnerability Assessment identifies missing patches and misconfigurations, not real-time process details. Option C is wrong because Inventory of Resources lists VM metadata (name, location, tags) but does not provide live process-level data. Option D is wrong because Secure Score is a compliance and posture metric, not a tool for investigating active threats on a VM.

52
MCQmedium

A security administrator is configuring Microsoft Defender for Cloud's regulatory compliance dashboard. The organization needs to be compliant with the NIST SP 800-53 standard. Which built-in initiative should the administrator assign to the subscription to populate the dashboard with NIST controls?

A.Azure Security Benchmark
B.NIST SP 800-53 R5
C.CIS Microsoft Azure Foundations Benchmark
D.ISO 27001
AnswerB

This built-in initiative provides controls mapped to NIST SP 800-53.

Why this answer

The NIST SP 800-53 R5 built-in initiative is the correct choice because Microsoft Defender for Cloud includes a dedicated regulatory compliance policy initiative that maps directly to the NIST SP 800-53 standard's controls. Assigning this initiative to the subscription populates the regulatory compliance dashboard with the specific NIST controls and their compliance status, enabling the organization to track and report against that framework.

Exam trap

The trap here is that candidates often confuse the Azure Security Benchmark (a Microsoft best-practice framework) with a regulatory standard, assuming it covers NIST controls, when in fact it is a separate initiative that does not map to NIST SP 800-53.

How to eliminate wrong answers

Option A is wrong because the Azure Security Benchmark is a Microsoft-authored set of best practices for securing Azure workloads, not a regulatory standard like NIST SP 800-53, and it does not map to NIST controls. Option C is wrong because the CIS Microsoft Azure Foundations Benchmark is a community-driven benchmark for Azure configuration, not a NIST-specific standard, and its controls are unrelated to NIST SP 800-53. Option D is wrong because ISO 27001 is a separate international security standard with its own control set, and its built-in initiative would populate the dashboard with ISO controls, not NIST SP 800-53 controls.

53
MCQeasy

A company wants to protect Azure virtual machines from brute force attacks by allowing remote desktop protocol (RDP) access only when explicitly requested and approved. Which Microsoft Defender for Cloud feature should they enable?

A.Adaptive network hardening
B.Just-in-time VM access
C.File integrity monitoring
D.Security recommendations
AnswerB

JIT allows users to request temporary inbound access to VMs, reducing exposure to brute force and other attacks.

Why this answer

Just-in-time (JIT) VM access in Microsoft Defender for Cloud locks down inbound traffic to Azure VMs by default, opening RDP (port 3389) only when a user requests access and is approved via Azure AD and Azure Policy. This directly addresses the requirement to allow RDP only on explicit request and approval, mitigating brute force attacks by reducing the attack surface.

Exam trap

The trap here is that candidates confuse Adaptive network hardening (which also involves NSG rules) with JIT VM access, but Adaptive network hardening only recommends permanent rule changes based on traffic patterns, not temporary, approval-based port openings.

How to eliminate wrong answers

Option A is wrong because Adaptive network hardening uses machine learning to recommend NSG rules based on historical traffic patterns, but it does not provide on-demand, approved access control for specific ports like RDP. Option C is wrong because File integrity monitoring (FIM) tracks changes to critical files and registry keys, not network access control or RDP port management. Option D is wrong because Security recommendations are advisory outputs from Defender for Cloud (e.g., 'Enable JIT access'), not a feature that itself enforces time-bound RDP access.

54
MCQmedium

A security team needs to enforce that all Azure virtual machines have a specific custom script execution baseline (e.g., block PowerShell from executing scripts from the internet). They want to use Microsoft Defender for Cloud to continuously monitor and alert when a VM deviates from this baseline. Which feature should they use?

A.Just-In-Time VM Access (JIT)
B.Adaptive application controls
C.Regulatory compliance dashboard
D.File Integrity Monitoring (FIM)
AnswerB

This feature allows you to define allowlists and blocklists for applications and scripts, and alerts on any deviation, such as a PowerShell script from the internet being executed.

Why this answer

Adaptive application controls (AAC) in Microsoft Defender for Cloud allow you to define allowlists for applications and scripts that can run on your Azure VMs. By configuring AAC to block PowerShell scripts from the internet, the service uses machine learning to establish a baseline of allowed executables and scripts, then continuously monitors for deviations—such as an unauthorized PowerShell script execution—and generates security alerts. This directly meets the requirement for continuous monitoring and alerting on custom script execution baselines.

Exam trap

The trap here is that candidates confuse File Integrity Monitoring (FIM) with script execution control, but FIM only monitors file and registry changes, not the execution behavior of scripts or applications.

How to eliminate wrong answers

Option A is wrong because Just-In-Time VM Access (JIT) controls network access to management ports (e.g., RDP, SSH) and does not monitor or enforce script execution policies. Option C is wrong because the Regulatory compliance dashboard tracks compliance against standards like ISO 27001 or PCI DSS, not custom script execution baselines. Option D is wrong because File Integrity Monitoring (FIM) monitors changes to registry keys and critical files (e.g., system binaries), not script execution behavior or PowerShell policies.

55
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to view a consolidated list of all security recommendations across multiple Azure subscriptions in a single view. Which blade should they navigate to in the Microsoft Defender for Cloud portal?

A.Regulatory compliance
B.Security posture
C.Workload protections
D.Inventory
AnswerB

Correct. The Security posture blade consolidates all recommendations, secure score, and improvement actions across subscriptions.

Why this answer

The Security posture blade in Microsoft Defender for Cloud provides a consolidated view of all security recommendations across multiple Azure subscriptions, enabling the security team to assess and prioritize improvements. This blade aggregates recommendations from various security controls and displays them in a single, unified interface, directly addressing the requirement for a consolidated list.

Exam trap

The trap here is that candidates often confuse the Security posture blade with the Regulatory compliance blade, mistakenly thinking compliance views include all recommendations, whereas Regulatory compliance only shows recommendations mapped to specific compliance frameworks.

How to eliminate wrong answers

Option A is wrong because Regulatory compliance focuses on compliance standards (e.g., SOC 2, ISO 27001) and shows compliance posture against specific regulations, not a consolidated list of all security recommendations. Option C is wrong because Workload protections provides coverage and alerts for specific workload types (e.g., VMs, SQL servers) but does not aggregate all recommendations across subscriptions. Option D is wrong because Inventory lists all connected resources and their metadata, but it does not present security recommendations in a consolidated view.

56
MCQhard

A company has multiple Azure subscriptions under a management group. They want to ensure that all VMs across all subscriptions have Microsoft Defender for Cloud's vulnerability assessment solution (using the Microsoft Defender Vulnerability Management engine) enabled. They also want to automatically remediate any non-compliant VMs by enabling the VA solution when a VM is missing it. Which combination of policy initiatives and automation should they use?

A.Assign the 'Azure Security Benchmark' initiative at the management group, enable automatic remediation for the 'Vulnerability assessment should be enabled on your virtual machines' policy.
B.Assign the 'Defender for Cloud' initiative with the 'Configure machines to receive a vulnerability assessment provider' policy, and configure a remediation task with a deployment script.
C.Assign the 'Azure Security Benchmark' initiative and create an Azure Automation runbook triggered by a compliance alert to enable VA.
D.Assign the 'Configure machines to receive a vulnerability assessment provider' policy with 'DeployIfNotExists' effect and set it to auto-remediate at the management group-level scope.
AnswerD

This policy automatically deploys the vulnerability assessment solution to any VM that lacks it, and assigning at the management group covers all subscriptions.

Why this answer

Option D is correct because the 'Configure machines to receive a vulnerability assessment provider' policy with the 'DeployIfNotExists' effect directly deploys the Microsoft Defender Vulnerability Management (MDVM) extension to any VM that lacks it. By assigning this policy at the management group scope and enabling automatic remediation, the policy will automatically remediate non-compliant VMs without requiring additional runbooks or scripts, fulfilling both the detection and automatic remediation requirements.

Exam trap

The trap here is that candidates often confuse 'AuditIfNotExists' policies (which only report compliance) with 'DeployIfNotExists' policies (which can automatically remediate), leading them to choose options that rely on audit-only policies or external automation when a built-in deployment policy with auto-remediation is available.

How to eliminate wrong answers

Option A is wrong because the 'Azure Security Benchmark' initiative includes the 'Vulnerability assessment should be enabled on your virtual machines' policy with an 'AuditIfNotExists' effect, which only audits compliance and does not automatically enable the VA solution; automatic remediation for an audit policy is not supported. Option B is wrong because while the 'Defender for Cloud' initiative contains the correct policy, the suggestion to configure a remediation task with a deployment script is unnecessary and less reliable than using the built-in 'DeployIfNotExists' effect with auto-remediation, which directly deploys the required extension. Option C is wrong because creating an Azure Automation runbook triggered by a compliance alert introduces complexity and latency, and the 'Azure Security Benchmark' initiative's audit-only policy cannot trigger automatic remediation; the correct approach uses a 'DeployIfNotExists' policy with auto-remediation.

57
MCQmedium

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to secure its Azure virtual machines. A security analyst needs to grant a developer temporary RDP access to a specific VM for debugging purposes. Instead of using the default request approval flow, the analyst wants to configure an exemption so that the developer's access request never triggers a recommendation for that VM. Which action must the analyst perform?

A.Approve the access request once from the JIT blade and set a long expiration.
B.Add an exemption for the VM on the 'Management ports should be closed on just-in-time based virtual machines' recommendation.
C.Configure a custom Azure Policy to allow open management ports for that VM.
D.Disable the JIT solution for the entire subscription from the Defender for Cloud environment settings.
AnswerB

Correct. Exempting the VM from the recommendation disables JIT monitoring for that VM, allowing permanent open ports without alerts.

Why this answer

To prevent a specific VM from triggering a recommendation for open management ports, you must add an exemption directly on the 'Management ports should be closed on just-in-time based virtual machines' recommendation in Defender for Cloud. This exemption tells the recommendation engine to exclude that VM from compliance evaluation, so no alert or recommendation is generated for it. Approving a request with a long expiration does not suppress the underlying recommendation; it only grants temporary access.

Exam trap

The trap here is that candidates confuse 'approving a request with a long expiration' with 'exempting the VM from the recommendation,' not realizing that an exemption is a separate Azure Policy concept that permanently suppresses the recommendation for that resource.

How to eliminate wrong answers

Option A is wrong because approving a request with a long expiration still leaves the recommendation active and will continue to appear in the security recommendations list; it does not create an exemption. Option C is wrong because configuring a custom Azure Policy to allow open management ports would override the JIT policy but does not create an exemption on the specific recommendation; it would instead change the compliance state for all VMs under that policy scope, which is not the targeted exemption requested. Option D is wrong because disabling JIT for the entire subscription removes the protection from all VMs and is an overly broad action that does not meet the requirement to exempt only a single VM from the recommendation.

58
MCQeasy

A company manages multiple Azure subscriptions under a single management group. The security team wants to enable Microsoft Defender for Cloud's enhanced security features (e.g., Defender for Servers) for all subscriptions under that management group with minimal administrative effort. Which method should they use?

A.Enable the plans individually on each subscription
B.Enable the plans at the management group level
C.Use Azure Blueprints to assign the plans to each subscription
D.Create a custom Azure Policy that enforces the installation of the Log Analytics agent
AnswerB

Correct. Policy and plan assignments at the management group propagate to all child subscriptions.

Why this answer

Enabling Microsoft Defender for Cloud's enhanced security features at the management group level applies the plans to all current and future subscriptions under that management group with a single action, minimizing administrative effort. This is the most efficient method because Defender for Cloud supports inheritance of security policies and plans from the management group down to subscriptions, eliminating the need for per-subscription configuration.

Exam trap

The trap here is that candidates may think Azure Blueprints or custom policies are required for bulk enablement, but Defender for Cloud natively supports enabling plans at the management group level, which is the simplest and most direct method.

How to eliminate wrong answers

Option A is wrong because enabling plans individually on each subscription requires repeated manual effort and does not scale, failing the 'minimal administrative effort' requirement. Option C is wrong because Azure Blueprints are used for deploying consistent resource configurations (e.g., ARM templates, policies, role assignments) but cannot directly enable Defender for Cloud plans; they would require a custom policy or initiative to achieve this, which is more complex than enabling at the management group. Option D is wrong because creating a custom Azure Policy to enforce the Log Analytics agent installation does not enable Defender for Cloud's enhanced security features (e.g., Defender for Servers); it only ensures agent deployment, which is a prerequisite but not the same as enabling the security plan.

59
MCQeasy

A large organization manages multiple Azure subscriptions under a single management group. The security team wants to ensure that when new subscriptions are added to the management group, the Microsoft Defender for Cloud plans (e.g., Defender for Servers) are automatically enabled. What is the most efficient way to achieve this?

A.Assign the Azure Policy initiative 'Configure Azure Defender to be enabled on subscriptions' to the management group with appropriate policy parameters.
B.Enable all Microsoft Defender plans at the management group level in the Microsoft Defender for Cloud portal.
C.Manually enable the Defender plans on each new subscription as they are created.
D.Use an Azure Blueprint to assign the Defender plans to the subscription.
AnswerA

Correct. Azure Policy can be assigned at the management group scope to enforce Defender for Cloud plans across all subscriptions, including those created in the future. This ensures automatic compliance.

Why this answer

Option A is correct because assigning the built-in Azure Policy initiative 'Configure Azure Defender to be enabled on subscriptions' to the management group ensures that any new subscription added under that management group automatically inherits the policy. This initiative uses DeployIfNotExists effect to enable the specified Defender plans (e.g., Defender for Servers) on subscriptions that do not already have them enabled, providing a fully automated, scalable solution without manual intervention.

Exam trap

The trap here is that candidates often confuse the 'Enable at management group level' portal setting (which only applies to existing subscriptions) with the automatic inheritance behavior of Azure Policy, leading them to choose Option B.

How to eliminate wrong answers

Option B is wrong because enabling Defender plans at the management group level in the Microsoft Defender for Cloud portal only applies to existing subscriptions under that management group; it does not automatically enable plans on newly added subscriptions. Option C is wrong because manually enabling Defender plans on each new subscription is inefficient, error-prone, and does not scale for a large organization with frequent subscription creation. Option D is wrong because Azure Blueprints are used to define and deploy a repeatable set of Azure resources and policies, but they require explicit assignment to each subscription and do not automatically propagate to new subscriptions added to the management group; Azure Policy is the native, more efficient mechanism for automatic inheritance.

60
MCQmedium

A security administrator needs to ensure that only approved applications can run on a set of Windows Server virtual machines. The administrator has already enabled Microsoft Defender for Cloud's enhanced security features. Which Defender for Cloud feature should the administrator configure to define a list of allowed applications and get alerts when unapproved applications are executed?

A.Adaptive Application Controls
B.File Integrity Monitoring (FIM)
C.Just-in-Time VM Access (JIT)
D.Vulnerability Assessment
AnswerA

Correct. Adaptive Application Controls learns typical application usage and creates an allowlist; alerts are generated when an application outside the allowlist runs.

Why this answer

Adaptive Application Controls (AAC) is the correct feature because it uses machine learning to establish a baseline of known-safe processes on your Windows Server VMs, then enforces an allowlist so that only those approved applications can run. When an unapproved application is executed, AAC generates a security alert in Microsoft Defender for Cloud, meeting the requirement to both define allowed applications and receive alerts on violations.

Exam trap

The trap here is that candidates confuse 'application control' with 'file integrity monitoring' because both deal with files, but FIM only alerts on changes to existing files, not on execution of new unapproved applications.

How to eliminate wrong answers

Option B (File Integrity Monitoring) is wrong because FIM monitors changes to critical files, registry keys, and software installations, but it does not enforce an application allowlist or alert on unapproved application execution; it focuses on integrity changes. Option C (Just-in-Time VM Access) is wrong because JIT controls network access to management ports (like RDP or SSH) by reducing exposure, not by controlling which applications can run on the VM. Option D (Vulnerability Assessment) is wrong because VA scans for known vulnerabilities and misconfigurations in the OS and applications, but it does not define or enforce an allowlist of approved applications.

61
MCQeasy

A security administrator needs to ensure that all newly provisioned Azure virtual machines automatically install the Microsoft Defender for Cloud agent (Log Analytics agent) to enable security monitoring. Which configuration should be enabled in Defender for Cloud?

A.Auto-provisioning of the Log Analytics agent
B.Enable the Defender for Servers plan
C.Configure a vulnerability assessment solution
D.Enable just-in-time (JIT) VM access
AnswerA

Correct. When enabled, Defender for Cloud automatically installs the agent on new and existing VMs.

Why this answer

Auto-provisioning of the Log Analytics agent in Microsoft Defender for Cloud automatically installs the Log Analytics agent (Microsoft Monitoring Agent) on all new Azure VMs. This ensures that security monitoring data, such as security events and syslog, is collected and sent to the Log Analytics workspace without manual intervention. The setting is found under 'Environment settings' > 'Auto provisioning' and must be toggled to 'On' for the agent to be deployed on newly provisioned VMs.

Exam trap

The trap here is that candidates confuse 'enabling the Defender for Servers plan' with automatic agent deployment, but the plan only enables threat detection capabilities and does not handle the agent installation process.

How to eliminate wrong answers

Option B is wrong because enabling the Defender for Servers plan activates advanced threat protection features (e.g., fileless attack detection, network-based detection) but does not automatically install the Log Analytics agent; the agent must be deployed separately or via auto-provisioning. Option C is wrong because configuring a vulnerability assessment solution (e.g., Qualys or Microsoft Defender Vulnerability Management) scans for software vulnerabilities but does not handle agent deployment for general security event collection. Option D is wrong because enabling just-in-time (JIT) VM access controls network access to management ports (e.g., RDP/SSH) and has no role in installing the Log Analytics agent for monitoring.

62
MCQmedium

A company uses Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The security team wants to receive security alerts about suspicious activities within the cluster, such as a container running with root privileges or attempts to read sensitive host paths. Which Defender for Cloud plan must be enabled to generate these alerts?

A.Defender for Servers
B.Defender for Containers
C.Defender for Cloud Apps
D.Defender for SQL
AnswerB

Defender for Containers provides threat detection and alerts for AKS clusters, including runtime behaviors.

Why this answer

Defender for Containers is the specific plan that provides threat detection for Azure Kubernetes Service (AKS) clusters, including alerts for suspicious activities such as containers running with root privileges or attempts to read sensitive host paths. This plan monitors the Kubernetes control plane and container runtime to generate security alerts based on Kubernetes audit logs and container-specific signals.

Exam trap

The trap here is that candidates often confuse Defender for Servers with container protection because they think containers run on servers, but Defender for Servers does not monitor Kubernetes audit logs or container runtime activities, which are essential for detecting the described alerts.

How to eliminate wrong answers

Option A is wrong because Defender for Servers is designed to protect virtual machines and on-premises servers, not container orchestration platforms like AKS; it does not ingest Kubernetes audit logs or container runtime events. Option C is wrong because Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on SaaS application usage and shadow IT, not on container or Kubernetes-level threats. Option D is wrong because Defender for SQL is dedicated to protecting Azure SQL databases and SQL servers, providing alerts for SQL injection and database anomalies, not for container or Kubernetes security events.

63
Matchingmedium

Match each incident severity level to its description in Microsoft 365 Defender.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No impact, but may indicate an issue

Minimal impact, likely false positive

Potential impact, requires investigation

Significant impact, immediate action needed

Widespread impact, urgent response required

Why these pairings

Severity levels help prioritize incident response.

64
MCQhard

A large enterprise uses Microsoft Defender for Cloud with the integrated Microsoft Defender Vulnerability Management solution enabled for all servers. The security team wants to identify all virtual machines that have not been scanned for vulnerabilities in the last 7 days. They plan to use Azure Resource Graph (ARG) to generate a report. Which KQL query would correctly identify these machines?

A.securityresources | where type =~ 'microsoft.security/assessments' and name == '4da3e7e8-0e4b-4c5e-8e0a-7e8f4e8e4e8e' | where properties.status.code == 'Unhealthy' and properties.status.firstEvaluationDate < ago(7d)
B.resources | where type =~ 'microsoft.compute/virtualmachines' | where properties.storageProfile.osDisk.managedDisk.id != ''
C.securityresources | where type =~ 'microsoft.security/regulatorycompliancestandards'
D.resources | where type =~ 'microsoft.security/securitystatuses'
AnswerA

This query filters for the specific vulnerability assessment and checks if the last scan (firstEvaluationDate) is older than 7 days or not present.

Why this answer

Option A is correct because it queries the `securityresources` table for the specific vulnerability assessment type (`microsoft.security/assessments`) and filters for the vulnerability assessment result named with the GUID `4da3e7e8-0e4b-4c5e-8e0a-7e8f4e8e4e8e`, which corresponds to the 'Vulnerabilities in your virtual machines should be remediated' assessment. It then checks that the status code is 'Unhealthy' (indicating vulnerabilities were found) and that the `firstEvaluationDate` is older than 7 days, which identifies machines that have not been scanned recently.

Exam trap

The trap here is that candidates often confuse the `firstEvaluationDate` with the last scan time, but in this context, an outdated `firstEvaluationDate` on an 'Unhealthy' assessment correctly identifies machines that have not been rescanned recently, whereas a healthy assessment would have been updated more frequently.

How to eliminate wrong answers

Option B is wrong because it queries the `resources` table for virtual machines with a managed disk, which does not relate to vulnerability scanning recency at all. Option C is wrong because it queries `microsoft.security/regulatorycompliancestandards`, which tracks compliance with regulatory standards (e.g., ISO, NIST) and not vulnerability scan status. Option D is wrong because `microsoft.security/securitystatuses` is a deprecated table that does not contain vulnerability assessment scan timestamps or the specific assessment results needed for this query.

65
MCQmedium

A cloud security administrator receives an alert from Microsoft Defender for Cloud indicating that a virtual machine has been compromised. The administrator wants to quickly isolate the VM from the network to prevent further spread while preserving the disk for forensic analysis. Which action should the administrator take?

A.Apply a just-in-time (JIT) access policy to the VM.
B.Use the "Isolate VM" action in the security alert.
C.Enable the Azure Security Benchmark initiative for the VM.
D.Configure a custom Azure Policy to deny network access.
AnswerB

This action isolates the VM from the network while preserving the disk.

Why this answer

The 'Isolate VM' action in Microsoft Defender for Cloud is designed specifically for compromised VMs. It applies a network security group (NSG) rule that denies all inbound and outbound traffic to the VM, effectively quarantining it from the network while leaving the disk intact for forensic analysis. This is the fastest and most direct method to contain the threat without altering the VM's configuration or disk state.

Exam trap

The trap here is that candidates confuse Just-In-Time (JIT) access with network isolation, mistakenly thinking restricting management ports is sufficient to contain a compromise, when in fact JIT does not block lateral movement or outbound malicious traffic.

How to eliminate wrong answers

Option A is wrong because Just-In-Time (JIT) access policy controls inbound RDP/SSH access via NSG rules but does not isolate the VM from all network traffic; it only restricts management ports, leaving other traffic and outbound connections active. Option C is wrong because enabling the Azure Security Benchmark initiative applies compliance policies and recommendations, not an immediate network isolation action; it is a long-term governance framework, not a response to an active compromise. Option D is wrong because configuring a custom Azure Policy to deny network access is a declarative, non-immediate control that requires policy assignment and evaluation cycles, and it does not provide the real-time, one-click isolation needed during an active incident.

66
MCQeasy

A security administrator wants to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent enabled by default in Microsoft Defender for Cloud. Where should this configuration be set?

A.In the Azure portal under each virtual machine's 'Extensions + applications' blade
B.In Microsoft Defender for Cloud, under 'Environment settings' > 'Data collection'
C.In Microsoft Sentinel, under 'Data connectors' for Defender for Cloud
D.In Azure Policy, by assigning the 'Deploy Log Analytics agent' initiative
AnswerB

This is where you enable auto-provisioning for the Log Analytics agent across all subscriptions.

Why this answer

Option B is correct because the automatic provisioning of the Log Analytics agent for all Azure virtual machines in Defender for Cloud is configured under 'Environment settings' > 'Data collection'. This setting enables Defender for Cloud to automatically deploy the Log Analytics agent to new and existing VMs, ensuring security monitoring without manual intervention.

Exam trap

The trap here is that candidates often confuse the centralized 'Data collection' setting in Defender for Cloud with per-VM manual extension installation (Option A) or with Azure Policy assignments (Option D), not realizing that Defender for Cloud provides a built-in toggle to enable automatic provisioning across all VMs in a subscription.

How to eliminate wrong answers

Option A is wrong because the 'Extensions + applications' blade under each VM only allows manual installation of the Log Analytics agent on a per-VM basis, not a default, automated provisioning for all VMs. Option C is wrong because Microsoft Sentinel's 'Data connectors' for Defender for Cloud is used to ingest security alerts and events from Defender for Cloud into Sentinel, not to configure automatic agent provisioning. Option D is wrong because while Azure Policy can enforce agent deployment, the specific 'Deploy Log Analytics agent' initiative is a broader policy that can be assigned independently, but the question asks for the configuration location within Defender for Cloud itself, which is the 'Data collection' setting under 'Environment settings'.

67
MCQhard

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have an Azure subscription with many VMs that are all protected by Defender for Servers. The security team wants to identify VMs that have not had a vulnerability assessment scan in the last 7 days. The integrated vulnerability assessment (Microsoft Defender Vulnerability Management) is enabled. Which KQL query in Azure Resource Graph or Log Analytics can achieve this?

A.securityresources | where type == 'microsoft.security/assessments' | summarize arg_max(properties.status.severity, properties.timeGenerated) by id
B.securityresources | where type == 'microsoft.security/assessments' and properties.displayName == 'Vulnerability assessment solution should be enabled on your virtual machines' and properties.status.code == 'Healthy' | project id, properties.timeGenerated | where properties.timeGenerated < ago(7d)
C.resources | where type == 'microsoft.compute/virtualmachines' | join kind=leftouter (securityresources) on $left.id == $right.id
D.operationalinsights | where TimeGenerated < ago(7d)
AnswerB

This assessment shows 'Healthy' when the VA solution is installed and running, and includes a timeGenerated indicating last scan. Filtering for older than 7 days identifies VMs not recently scanned.

Why this answer

Option B is correct because it queries the 'securityresources' table in Azure Resource Graph for assessments where the display name matches 'Vulnerability assessment solution should be enabled on your virtual machines' and the status code is 'Healthy'. A 'Healthy' status indicates the assessment passed, meaning a scan occurred within the configured period. By filtering for 'properties.timeGenerated < ago(7d)', it identifies VMs where the last scan was more than 7 days ago, directly meeting the requirement.

Exam trap

The trap here is that candidates often confuse the 'Healthy' status as indicating a good state (scanned recently) and forget to apply the time filter 'ago(7d)', or they incorrectly use 'Unhealthy' thinking it means no scan, when in fact 'Unhealthy' means the assessment failed or is missing, which would include VMs that never had a scan at all, not just those not scanned in 7 days.

How to eliminate wrong answers

Option A is wrong because it uses 'summarize arg_max(properties.status.severity, properties.timeGenerated) by id', which returns the most recent assessment by severity, not specifically the vulnerability assessment scan status, and does not filter for the required 7-day window. Option C is wrong because it performs a left outer join between 'resources' (all Azure resources) and 'securityresources', which would return all VMs regardless of scan status, and lacks any filter for vulnerability assessments or time constraints. Option D is wrong because 'operationalinsights' is not a valid table in Azure Resource Graph; the correct table for Log Analytics workspace data is 'Usage' or 'Heartbeat' in Log Analytics, and the query does not reference vulnerability assessments or VMs.

68
MCQeasy

A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team wants to identify which VMs have missing system updates such as critical security patches. Which Defender for Cloud feature should they use?

A.Adaptive application controls
B.Just-in-time VM access
C.Vulnerability assessment
D.File integrity monitoring
AnswerC

Vulnerability assessment scans VMs for known vulnerabilities, including missing security updates and misconfigurations, making it the correct choice.

Why this answer

Vulnerability assessment in Microsoft Defender for Cloud scans Azure VMs for missing system updates, including critical security patches, by integrating with built-in or partner vulnerability scanners (e.g., Qualys). This feature provides a continuous assessment of OS and application vulnerabilities, directly addressing the need to identify VMs with missing patches.

Exam trap

The trap here is confusing vulnerability assessment (which identifies missing patches and misconfigurations) with adaptive application controls (which restricts application execution) or file integrity monitoring (which detects file changes), leading candidates to pick a feature that addresses a different security control objective.

How to eliminate wrong answers

Option A is wrong because Adaptive application controls use machine learning to define allowlists for applications running on VMs, focusing on controlling which executables can run, not on identifying missing system updates. Option B is wrong because Just-in-time VM access reduces the attack surface by managing inbound network access to VMs on specific ports, but it does not scan for missing patches or vulnerabilities. Option D is wrong because File integrity monitoring tracks changes to critical system files and registry keys, alerting on unauthorized modifications, but it does not assess the state of system updates or patch levels.

69
MCQeasy

A company has enabled Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing virtual machines have a vulnerability assessment solution installed. Which Defender for Cloud feature can automatically deploy a vulnerability assessment agent to supported VMs?

A.Vulnerability assessment recommendations
B.Defender for Servers plan
C.Security policies
D.Workload protections
AnswerA

These recommendations allow automatic deployment of vulnerability assessment agents to VMs as part of remediation steps.

Why this answer

The Vulnerability Assessment (VA) recommendations in Microsoft Defender for Cloud can automatically deploy a vulnerability assessment agent (such as the Qualys or Microsoft Defender Vulnerability Management agent) to supported Azure VMs. When a VM is found to be missing a VA solution, Defender for Cloud can enable the 'Auto-provision' setting for the VA recommendation, which triggers the agent installation without manual intervention. This directly meets the requirement to ensure all existing VMs have a vulnerability assessment solution installed.

Exam trap

The trap here is that candidates often confuse the 'Defender for Servers plan' (which enables the feature set) with the actual automated deployment mechanism, assuming the plan itself installs agents, when in fact the deployment is triggered by enabling the 'Auto-provision' setting on the specific vulnerability assessment recommendation.

How to eliminate wrong answers

Option B is wrong because the Defender for Servers plan enables advanced security capabilities (e.g., file integrity monitoring, just-in-time VM access, and adaptive application controls) but does not itself automatically deploy a vulnerability assessment agent; it only makes the VA recommendations available. Option C is wrong because security policies define the compliance rules and initiatives (e.g., Azure Policy) that govern resource configurations, but they do not directly deploy agents; they can enforce the VA recommendation but the deployment action is handled by the recommendation's auto-provision feature. Option D is wrong because workload protections refer to the set of threat detection alerts and security signals for workloads (e.g., SQL, storage, containers), not the automated deployment of vulnerability assessment agents to VMs.

70
MCQmedium

A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent (Azure Monitor Agent) turned on. Where should this configuration be set to cover existing and future VMs?

A.In Microsoft Defender for Cloud > Environment settings > Select subscription > Settings & monitoring > Log Analytics agent for Azure VMs > Set to 'On'
B.In Azure Policy > Assign a policy that deploys the Log Analytics agent to VMs
C.In Microsoft Defender for Cloud > Security policy > Data collection
D.In Azure virtual machine blade > Auto-provisioning
AnswerA

This is the correct location to enable automatic provisioning of the Log Analytics agent for all current and future VMs in the subscription.

Why this answer

Option A is correct because the 'Settings & monitoring' pane under Environment settings in Microsoft Defender for Cloud is the centralized location to enable automatic provisioning of the Log Analytics agent (Azure Monitor Agent) at the subscription level. This setting ensures that both existing Azure VMs and any future VMs are automatically provisioned with the agent, without requiring individual VM configuration or manual policy assignment.

Exam trap

The trap here is that candidates often confuse the deprecated 'Data collection' option under Security policy (Option C) with the current 'Settings & monitoring' pane, or they assume that Azure Policy (Option B) is the only way to enforce agent deployment, missing the built-in auto-provisioning toggle in Defender for Cloud.

How to eliminate wrong answers

Option B is wrong because Azure Policy can deploy the Log Analytics agent, but it is not the native Defender for Cloud auto-provisioning mechanism; using a custom policy requires additional management and does not integrate with Defender for Cloud's monitoring settings. Option C is wrong because the 'Security policy > Data collection' option in Defender for Cloud is deprecated and no longer controls auto-provisioning for the Log Analytics agent; it was used for the legacy Microsoft Monitoring Agent, not the Azure Monitor Agent. Option D is wrong because the Azure virtual machine blade's 'Auto-provisioning' setting does not exist; auto-provisioning is configured at the subscription level in Defender for Cloud, not per VM.

71
MCQhard

A security operations team uses Microsoft Defender for Cloud and Microsoft Sentinel. They want to automatically suppress low-severity security recommendations that are older than 90 days for a specific resource group. Which combination of tools should they use?

A.Use Azure Policy to exempt the resource group from policy evaluation
B.Use a Microsoft Sentinel automation rule to close incidents
C.Use a suppression rule in Defender for Cloud to suppress specific recommendations
D.Use an Azure Blueprint to ignore recommendations
AnswerC

Suppression rules in Defender for Cloud allow you to ignore recommendations based on criteria like severity, resource scope, and time. You can create a rule for low-severity recommendations older than 90 days for the resource group.

Why this answer

Option C is correct because Defender for Cloud includes native suppression rules that allow you to automatically dismiss low-severity recommendations based on criteria such as age (older than 90 days) and scope (specific resource group). This is the only built-in mechanism in Defender for Cloud to permanently suppress recommendations without altering the underlying security posture or requiring external automation.

Exam trap

The trap here is that candidates confuse Defender for Cloud suppression rules with Azure Policy exemptions or Sentinel automation rules, failing to recognize that recommendation suppression is a dedicated feature within Defender for Cloud's own settings, not a cross-service configuration.

How to eliminate wrong answers

Option A is wrong because Azure Policy exemptions remove policy compliance requirements but do not suppress Defender for Cloud recommendations; recommendations are generated by the security engine independently of policy evaluation. Option B is wrong because Microsoft Sentinel automation rules close incidents in Sentinel, not recommendations in Defender for Cloud; these are separate products with distinct data planes. Option D is wrong because Azure Blueprints are used for environment orchestration and compliance, not for suppressing or ignoring security recommendations; they have no mechanism to filter Defender for Cloud recommendations.

72
MCQhard

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. The security team wants to receive an alert when a new user is added to the local Administrators group on a Windows virtual machine. Which data source must be enabled in Defender for Cloud to capture this event?

A.Enable the collection of Windows Security Event Log events (e.g., Event ID 4732) through the Log Analytics agent configuration.
B.Enable Just-in-Time (JIT) VM access on the virtual machine.
C.Enable Adaptive Application Controls (AAC) for the virtual machine.
D.Enable Azure Defender for SQL on the subscription.
AnswerA

Correct. Local group changes are captured via Windows security event 4732. To get this into Defender for Cloud, you must ensure the Log Analytics agent is collecting security events and that the required audit policies are in place.

Why this answer

Option A is correct because the event of adding a user to the local Administrators group on Windows is logged as Security Event ID 4732. To capture this event in Defender for Cloud, the Log Analytics agent must be configured to collect Windows Security Event Log events, which includes Event ID 4732. This data source enables Defender for Cloud to generate security alerts based on such privileged group modifications.

Exam trap

The trap here is that candidates may confuse data collection sources (e.g., JIT, AAC, or SQL Defender) with the specific Windows Security Event Log required to detect local group membership changes, assuming any security control can generate the alert.

How to eliminate wrong answers

Option B is wrong because Just-in-Time (JIT) VM access controls network access to management ports (e.g., RDP, SSH) and does not capture local group membership changes. Option C is wrong because Adaptive Application Controls (AAC) define allowlists for running applications on VMs and do not monitor or alert on user account modifications. Option D is wrong because Azure Defender for SQL is a plan for securing SQL databases and servers, not for monitoring local user group changes on Windows VMs.

73
MCQeasy

A security administrator wants to enable Microsoft Defender for Cloud on all Azure subscriptions to generate security alerts for resources. What is the minimum configuration required on a subscription?

A.Assign Azure Policy to enable Defender for Cloud plans on the subscription
B.Enable enhanced security features on the subscription
C.Install the Azure Monitor Agent on all virtual machines in the subscription
D.Enable Microsoft Defender for Cloud at the management group level only
AnswerB

Enabling enhanced security features (Standard tier) is the minimum requirement to start receiving security alerts for all supported resources.

Why this answer

Option B is correct because enabling enhanced security features (now called Defender for Cloud plans) on a subscription is the minimum configuration required to generate security alerts. This action activates the Defender for Cloud workload protection plans (e.g., Defender for Servers, Defender for SQL) that provide threat detection and alerts for resources within that subscription. Without this step, the subscription remains in the free tier, which only offers basic security assessments and recommendations, not security alerts.

Exam trap

The trap here is that candidates often confuse enabling Defender for Cloud plans (the minimum requirement for alerts) with deploying agents or assigning policies, which are additional steps for enhanced coverage or governance, not the baseline configuration.

How to eliminate wrong answers

Option A is wrong because assigning an Azure Policy to enable Defender for Cloud plans is not the minimum configuration; it is a governance method to enforce the plans across multiple subscriptions, but the plans themselves must first be enabled at the subscription level. Option C is wrong because installing the Azure Monitor Agent on all virtual machines is not required for generating security alerts from Defender for Cloud; alerts can be generated from platform-level telemetry and other data sources without the agent, though the agent enhances detection for certain workloads. Option D is wrong because enabling Defender for Cloud at the management group level only does not automatically enable it on individual subscriptions; each subscription must have the plans enabled to generate alerts, and management group inheritance applies to policy assignments, not the enabling of security plans.

74
MCQhard

An organization manages multiple Azure subscriptions under a single management group. They want to automatically enable Microsoft Defender for Cloud's enhanced security plans (e.g., Defender for Servers) on any new subscription added to the management group. Which configuration method should they use?

A.Create an Azure Policy that assigns the Defender for Cloud pricing tier at the management group level
B.Enable auto-provisioning in Defender for Cloud's settings
C.Use Azure Blueprints to define the subscription configurations
D.Manually enable plans per subscription as they are added
AnswerA

Azure Policy can enforce the 'Pricing tier' setting at a scope. When new subscriptions are added under the management group, they automatically get the policy and the plan is enabled.

Why this answer

Option A is correct because Azure Policy can be assigned at the management group scope to enforce the 'Configure Microsoft Defender for Cloud plans to be enabled' policy, which automatically sets the pricing tier (e.g., Standard) for Defender for Servers on any new subscription added to that management group. This ensures compliance without manual intervention, as the policy evaluates and remediates new subscriptions upon creation or addition.

Exam trap

The trap here is that candidates often confuse auto-provisioning (which installs agents) with policy-based enforcement of pricing tiers, leading them to select Option B instead of recognizing that Azure Policy at the management group level is the correct method for automatic, scalable plan activation.

How to eliminate wrong answers

Option B is wrong because auto-provisioning in Defender for Cloud's settings only enables the automatic installation of the Log Analytics agent on existing VMs, not the activation of enhanced security plans for new subscriptions. Option C is wrong because Azure Blueprints can define subscription configurations, but they require explicit assignment to each subscription and do not automatically apply to new subscriptions added to a management group; Azure Policy is the native tool for continuous compliance enforcement. Option D is wrong because manually enabling plans per subscription is not scalable and contradicts the requirement for automatic enablement on new subscriptions.

75
MCQmedium

An organization uses Microsoft Defender for Cloud and needs to track compliance with internal security policies that are not covered by any built-in regulatory standard. They want to see the compliance status for these internal controls in the Regulatory Compliance dashboard alongside other standards. What should they configure?

A.Create a custom Azure Policy initiative with the required controls and assign it to the relevant scopes.
B.Create a custom assessment in the Microsoft Defender for Cloud recommendations dashboard.
C.Use the Secure Score API to develop a custom dashboard outside Defender for Cloud.
D.Enable the "Custom compliance" feature in Defender for Cloud's pricing tier.
AnswerA

A custom Azure Policy initiative assigned to the subscription or management group will appear in the Regulatory Compliance dashboard, allowing tracking of internal controls.

Why this answer

To track compliance with internal security policies not covered by built-in regulatory standards, you must create a custom Azure Policy initiative that defines the required controls and assign it to the relevant scopes. Defender for Cloud automatically evaluates resources against assigned initiatives and surfaces the compliance status in the Regulatory Compliance dashboard alongside built-in standards, allowing unified visibility.

Exam trap

The trap here is that candidates confuse custom assessments in the recommendations dashboard with custom compliance controls, not realizing that only custom Azure Policy initiatives are surfaced in the Regulatory Compliance dashboard.

How to eliminate wrong answers

Option B is wrong because creating a custom assessment in the recommendations dashboard only adds a security recommendation, not a compliance control that appears in the Regulatory Compliance dashboard; it does not integrate with the compliance framework. Option C is wrong because using the Secure Score API to develop a custom dashboard outside Defender for Cloud bypasses the Regulatory Compliance dashboard entirely, failing to meet the requirement of seeing compliance status alongside other standards within Defender for Cloud. Option D is wrong because there is no 'Custom compliance' feature in Defender for Cloud's pricing tier; the pricing tier controls features like cloud security posture management (CSPM) but does not enable custom compliance tracking.

Page 1 of 2 · 104 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Mitigate threats using Microsoft Defender for Cloud questions.