CCNA Mitigate Threats Using Microsoft Defender For Cloud Questions

29 of 104 questions · Page 2/2 · Mitigate Threats Using Microsoft Defender For Cloud topic · Answers revealed

76
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They recently deployed a new Azure Kubernetes Service (AKS) cluster and want to ensure it is protected by Defender for Containers. What must they do to enable protection?

A.Enable the Defender for Containers plan for the subscription in Defender for Cloud.
B.Install the Microsoft Defender for Cloud agent on the AKS nodes.
C.Create a Log Analytics workspace and connect AKS to it.
D.Enable Azure Policy for AKS.
AnswerA

This enables the workload protection plan for containers, which automatically covers AKS clusters in the subscription.

Why this answer

Defender for Containers is a plan-level feature in Microsoft Defender for Cloud that must be enabled at the subscription level. Once enabled, it automatically discovers and protects AKS clusters without requiring any manual agent installation on nodes, as it uses the Defender sensor deployed by AKS itself. This is the only action needed to enable protection for the new AKS cluster.

Exam trap

The trap here is that candidates often assume agent installation or Log Analytics workspace configuration is necessary for container protection, but Defender for Containers is a subscription-level plan that automatically provisions the required sensor without manual node-level setup.

How to eliminate wrong answers

Option B is wrong because Defender for Containers does not require installing the Microsoft Defender for Cloud agent on AKS nodes; it uses a dedicated Defender sensor that is automatically deployed by the AKS integration. Option C is wrong because a Log Analytics workspace is not a prerequisite for Defender for Containers; while logs can be collected, the plan works independently of Log Analytics. Option D is wrong because enabling Azure Policy for AKS is not required to enable Defender for Containers; Azure Policy can be used for compliance and governance but is separate from the Defender plan activation.

77
MCQhard

A security engineer is configuring Microsoft Defender for Cloud in a hybrid environment that includes on-premises servers connected via Azure Arc. The engineer wants to enable the Defender for Cloud plans for servers (including vulnerability assessment) on all Azure Arc-enabled machines. What is the correct method to deploy the Log Analytics agent (or Azure Monitor Agent) and the Microsoft Defender for Endpoint (MDE) integration?

A.Manually install the agents on each server via Group Policy.
B.Enable Azure Policy 'Configure Azure Arc machines to run Azure Monitor Agent' with a DeployIfNotExists policy that also installs the MDE extension.
C.Use the Azure Automation Update Management to deploy agents.
D.Enable the 'Log Analytics agent for Windows' extension on each Arc machine via Azure Arc management.
AnswerB

This policy automatically deploys the required agents and extensions to all Azure Arc machines, ensuring compliance at scale.

Why this answer

Option B is correct because it leverages Azure Policy with a DeployIfNotExists effect to automatically deploy the Azure Monitor Agent (AMA) and the Microsoft Defender for Endpoint (MDE) extension on Azure Arc-enabled servers. This ensures compliance at scale without manual intervention, and it is the recommended method in Defender for Cloud for hybrid machines. The policy also handles the vulnerability assessment integration by enabling the Defender for Cloud plans for servers.

Exam trap

The trap here is that candidates often assume manual agent installation (Option A) or Update Management (Option C) are valid for Defender for Cloud integration, but the exam tests the understanding that Azure Policy is the only scalable, compliant method to deploy both AMA and MDE extensions on Arc machines while enabling Defender for Cloud plans automatically.

How to eliminate wrong answers

Option A is wrong because manually installing agents via Group Policy does not integrate with Defender for Cloud's centralized management, nor does it automatically enable the MDE extension or vulnerability assessment; it also lacks the scalability and compliance enforcement of Azure Policy. Option C is wrong because Azure Automation Update Management is designed for patching and update orchestration, not for deploying agents or extensions; it cannot install the MDE extension or enable Defender for Cloud plans. Option D is wrong because enabling the 'Log Analytics agent for Windows' extension manually via Azure Arc management only deploys the legacy Log Analytics agent (MMA), not the Azure Monitor Agent (AMA) or the MDE extension, and it does not automatically enable vulnerability assessment or Defender for Cloud plans.

78
Multi-Selectmedium

A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)

Select 2 answers
A.Create an alert suppression rule based on alert entity
B.Modify the alert's severity
C.Set an automatic response action
D.Define a rule to automatically dismiss alerts that meet criteria
AnswersA, D

Alert suppression rules can be configured to suppress alerts based on entity, such as specific IP addresses or resources.

Why this answer

Option A is correct because Microsoft Defender for Cloud allows you to create suppression rules that automatically dismiss alerts based on specific alert entities (such as alert ID, title, or severity) to reduce noise. These rules are configured in the security alerts settings and can be scoped to a subscription or management group, ensuring that alerts matching the defined criteria are silently dismissed without generating incidents.

Exam trap

The trap here is that candidates often confuse 'suppression' with 'automation' or 'severity modification', thinking that changing severity or adding a response action will reduce noise, when in fact only suppression rules (or automatic dismissal rules) actually remove alerts from the queue.

79
MCQhard

A security administrator is configuring Microsoft Defender for Cloud's regulatory compliance dashboard for Azure resources. They need to track compliance against the SOC 2 standard using a built-in initiative. Which steps are required to add SOC 2 to the dashboard?

A.Enable Defender for Cloud on the subscription, then add the SOC 2 regulatory compliance initiative
B.Enable Defender for Cloud's enhanced security features, then assign the built-in SOC 2 policy initiative
C.Create a custom policy initiative based on SOC 2 controls and assign it to the management group
D.Configure Azure Policy manually with SOC 2 policies
AnswerB

Enhanced security features (Defender for Cloud plans) enable the full set of capabilities, and then the SOC 2 initiative can be assigned from the regulatory compliance dashboard.

Why this answer

Option B is correct because Microsoft Defender for Cloud's regulatory compliance dashboard requires enhanced security features (formerly Azure Defender) to be enabled on the subscription. Once enabled, you can assign the built-in SOC 2 policy initiative, which automatically maps Azure Policy definitions to SOC 2 controls and displays compliance status in the dashboard. Without enhanced security features, the regulatory compliance dashboard is not available.

Exam trap

The trap here is that candidates often assume the free tier of Defender for Cloud is sufficient for regulatory compliance tracking, but Microsoft specifically requires enhanced security features (paid tier) to enable the regulatory compliance dashboard and assign built-in initiatives like SOC 2.

How to eliminate wrong answers

Option A is wrong because simply enabling Defender for Cloud (the free tier) does not provide access to the regulatory compliance dashboard; enhanced security features must be enabled. Option C is wrong because creating a custom policy initiative based on SOC 2 controls is unnecessary and not the built-in method; the SOC 2 initiative is provided out-of-the-box and should be assigned directly. Option D is wrong because manually configuring Azure Policy with SOC 2 policies would not integrate with the regulatory compliance dashboard's automated mapping and scoring; the built-in initiative is required for proper dashboard integration.

80
MCQeasy

A security analyst is using Microsoft Defender for Cloud's adaptive application controls (AAC) to allowlist trusted applications on Azure VMs. After enabling AAC and running in 'Audit' mode for a week, the analyst wants to switch to 'Enforce' mode. Which pre-requisite must be met before enforcement can be applied?

A.The VM must have the Guest Configuration extension installed.
B.A valid Microsoft Defender for Servers Plan 2 license must be assigned to the VM.
C.The VM must have a baseline of allowed applications generated from at least two weeks of audit data.
D.The VM must be running on a supported operating system like Windows Server 2016 or later.
AnswerC

Correct. AAC requires a baseline of known good applications from audit mode before enforcement can block unapproved applications.

Why this answer

Adaptive application controls require a minimum of two weeks of audit data to establish a reliable baseline of allowed applications before enforcement can be applied. This baseline ensures that legitimate applications are not blocked when switching from Audit to Enforce mode, reducing false positives and operational disruptions.

Exam trap

The trap here is that candidates may assume any supported OS or license is sufficient, but Microsoft specifically requires the two-week audit baseline to prevent enforcement from blocking legitimate applications.

How to eliminate wrong answers

Option A is wrong because the Guest Configuration extension is used for Azure Policy guest configuration assignments, not for adaptive application controls. Option B is wrong because while Defender for Servers Plan 2 is required to use adaptive application controls, it is a prerequisite for enabling the feature itself, not specifically for switching from Audit to Enforce mode. Option D is wrong because although supported operating systems are necessary, the specific prerequisite for enforcement is the two-week audit baseline, not just OS version support.

81
MCQmedium

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans enabled. They want to automatically enable the Defender for Cloud plans on new Azure subscriptions that are created under their management group. Which approach should they use?

A.Assign the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' at the management group level.
B.Configure 'Continuous export' settings in Defender for Cloud to export policies to Log Analytics for each subscription.
C.Set the default security policies at the management group level in Defender for Cloud's environment settings.
D.Enable 'Auto provisioning' for the Log Analytics agent in Defender for Cloud.
AnswerA

This policy initiative automatically enables the defined Defender plans for current and future subscriptions under the management group.

Why this answer

Option A is correct because the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' is designed to be assigned at a management group scope, automatically enabling all Defender for Cloud plans on new subscriptions as they are created under that management group. This leverages Azure Policy's compliance evaluation and remediation tasks to enforce the security plans across the entire hierarchy without manual intervention.

Exam trap

The trap here is that candidates often confuse configuring default security policies (which only set recommendation baselines) with the Azure Policy initiative that actually enables the pricing tiers for Defender for Cloud plans on new subscriptions.

How to eliminate wrong answers

Option B is wrong because 'Continuous export' in Defender for Cloud is used to stream security alerts and recommendations to Log Analytics or Event Hubs for external analysis, not to enable Defender for Cloud plans on new subscriptions. Option C is wrong because setting default security policies at the management group level in Defender for Cloud's environment settings only defines the security configurations (e.g., which recommendations are enforced) but does not automatically enable the enhanced security plans themselves on new subscriptions. Option D is wrong because 'Auto provisioning' for the Log Analytics agent installs the agent on existing VMs to collect data, but it does not enable Defender for Cloud plans or apply to new subscriptions automatically.

82
MCQmedium

An analyst wants to enable the Defender for Containers plan in Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. Arrange the steps in the correct order.

A.1. Enable Microsoft Defender for Cloud on the subscription (if not already enabled). → 2. Go to Microsoft Defender for Cloud > Environment settings > Select the subscription. → 3. In the 'Defender plans' blade, toggle 'Containers' to On. → 4. (Optional) Install the Defender profile on the AKS cluster via recommendations or manually. → 5. Verify that container threat detection alerts appear in Defender for Cloud.
B.Verify results before configuring the source or rule settings.
C.Configure alert grouping before defining the detection query or source.
D.Skip validation and enable the rule or plan immediately.
AnswerA

This order follows the required configuration sequence and verifies the result last.

Why this answer

Option A is correct because it follows the logical sequence for enabling Defender for Containers: first ensure Defender for Cloud is enabled at the subscription level, then navigate to Environment settings, toggle the Containers plan on, optionally install the Defender profile on the AKS cluster (via the 'Azure Policy add-on for AKS' recommendation or manual helm chart), and finally verify threat detection alerts appear. This order ensures the plan is active before profile installation and validation.

Exam trap

The trap here is that candidates might think toggling the Containers plan On is sufficient without installing the Defender profile on the AKS cluster, but Microsoft explicitly recommends the profile for runtime threat detection, and the exam expects you to include that optional step in the correct order.

How to eliminate wrong answers

Option B is wrong because it suggests verifying results before configuring the source or rule settings, which is nonsensical in this context—you cannot verify alerts before enabling the plan and installing the profile. Option C is wrong because it mentions configuring alert grouping before defining the detection query or source, but Defender for Containers does not require custom alert grouping or queries; it uses built-in threat detection rules. Option D is wrong because it advises skipping validation and enabling the plan immediately, which ignores the optional but critical step of installing the Defender profile on the AKS cluster to ensure agent-based threat detection works.

83
MCQmedium

A Defender for Cloud alert repeatedly fires for a known test VM used by the security team. The alert type is valid, but it should not create noise for that VM. What should the analyst configure?

A.Create an alert suppression rule scoped to the test VM and alert type.
B.Disable Defender for Servers for the entire subscription.
C.Change the VM name.
D.Delete the recommendation from secure score.
AnswerA

This suppresses known benign noise without disabling protection globally.

Why this answer

Option A is correct because an alert suppression rule in Microsoft Defender for Cloud allows you to define a scope (e.g., a specific VM) and a condition (e.g., a specific alert type) to automatically dismiss alerts that are valid but not actionable for that resource. This reduces noise without affecting detection coverage for other resources. The rule is configured at the subscription or resource group level and applies only to matching alerts.

Exam trap

The trap here is that candidates may confuse alert suppression (which dismisses alerts without affecting detection) with disabling a security plan or modifying secure score, leading them to choose overly broad or irrelevant actions like disabling Defender for Servers or deleting recommendations.

How to eliminate wrong answers

Option B is wrong because disabling Defender for Servers for the entire subscription would remove all threat detection and security monitoring from every VM, not just the test VM, which is an extreme and unnecessary measure. Option C is wrong because changing the VM name does not affect the alert logic; Defender for Cloud identifies VMs by resource ID, not name, so the alert would still fire for the same resource. Option D is wrong because deleting a recommendation from secure score only removes it from the score calculation; it does not suppress alerts, and alerts are independent of secure score recommendations.

84
Drag & Dropmedium

Arrange the steps to deploy Microsoft Defender for Cloud Apps (formerly MCAS) and connect it to a cloud app.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Deploying Cloud App Security involves adding an app connector and authenticating to enable monitoring and control.

85
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have several Azure virtual machines running SQL Server. The security team wants to enable advanced threat protection for their Azure SQL databases. What should they do?

A.Enable Microsoft Defender for SQL on the subscription.
B.Enable Microsoft Defender for Servers on the subscription.
C.Enable Microsoft Defender for Database on the subscription.
D.Configure SQL Vulnerability Assessment in the Azure portal for each database.
AnswerA

Defender for SQL is the dedicated plan for protecting Azure SQL databases with threat detection and vulnerability assessment.

Why this answer

Microsoft Defender for SQL (formerly Advanced Threat Protection for Azure SQL) is the specific plan that provides threat detection for Azure SQL databases, including SQL Server on Azure VMs. Enabling it at the subscription level ensures all existing and future Azure SQL databases under that subscription are protected, which is the recommended and most efficient approach.

Exam trap

The trap here is that candidates may confuse 'Microsoft Defender for Servers' with SQL protection, not realizing that SQL-specific threat detection requires the dedicated 'Microsoft Defender for SQL' plan, even when SQL Server is running on Azure VMs.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Servers is designed to protect the operating system and workloads of virtual machines, not the SQL databases running on them; it does not include SQL-specific threat detection like SQL injection alerts. Option C is wrong because there is no 'Microsoft Defender for Database' plan; the correct plan name is 'Microsoft Defender for SQL'. Option D is wrong because SQL Vulnerability Assessment is a separate feature for identifying database misconfigurations and vulnerabilities, not a threat protection service; it does not provide real-time threat detection or advanced threat protection.

86
MCQmedium

A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to integrate a third-party vulnerability assessment solution for their Azure VMs and ensure findings appear in the Defender for Cloud recommendations. What must be done?

A.Configure a data connector in Microsoft Sentinel to forward the partner's findings.
B.Enable the 'Integrated' partner solution in Defender for Cloud and install the scanner on VMs.
C.Deploy the Microsoft Defender Vulnerability Management solution instead of a third-party tool.
D.Use Azure Policy to assign a built-in initiative that mandates vulnerability scanning.
AnswerB

This configures Defender for Cloud to accept findings from the partner vulnerability scanner and display them as recommendations.

Why this answer

Option B is correct because Defender for Cloud supports integrating third-party vulnerability assessment solutions through the 'Integrated' partner solution setting. Once enabled, you must install the partner's scanner agent on each Azure VM. The findings are then ingested into Defender for Cloud and appear in the 'Vulnerabilities in your virtual machines should be remediated' recommendation, allowing the security team to view and manage them alongside built-in assessments.

Exam trap

The trap here is that candidates often confuse the role of Microsoft Sentinel (a SIEM) with Defender for Cloud's native vulnerability assessment integration, thinking that any security data can be funneled through Sentinel to populate Defender for Cloud recommendations, which is incorrect because Sentinel does not write to Defender for Cloud's recommendation engine.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM for collecting and analyzing security logs, not a mechanism to ingest vulnerability assessment findings into Defender for Cloud recommendations; it would not populate the specific Defender for Cloud vulnerability recommendation. Option C is wrong because the question explicitly requires integrating a third-party solution, not replacing it with Microsoft Defender Vulnerability Management. Option D is wrong because Azure Policy can enforce that a vulnerability assessment solution is deployed, but it does not directly cause findings from a third-party tool to appear in Defender for Cloud recommendations; the 'Integrated' partner solution must be enabled and the scanner installed.

87
MCQmedium

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. The security team wants to integrate a third-party vulnerability assessment solution (e.g., Qualys) and have findings appear in the Defender for Cloud recommendations. What must be done?

A.Install the Qualys agent on the VMs and configure the vulnerability assessment solution in Defender for Cloud.
B.Enable the built-in Microsoft Defender Vulnerability Management (MDVM) solution; it automatically integrates with any third-party scanner.
C.Set up automatic provisioning of the Log Analytics agent and enable vulnerability assessment in the regulatory compliance dashboard.
D.Nothing; Defender for Cloud automatically scans all Azure VMs for vulnerabilities using the integrated Qualys scanner.
AnswerA

This is correct. The agent must be deployed on each VM, and the integration must be configured in the Defender for Cloud security policy to accept findings from the third-party vulnerability assessment solution.

Why this answer

Option A is correct because to integrate a third-party vulnerability assessment solution like Qualys with Microsoft Defender for Cloud, you must install the Qualys agent on the VMs and then configure the vulnerability assessment solution in Defender for Cloud. This allows Defender for Cloud to receive and display the vulnerability findings from Qualys as part of its security recommendations. Without this explicit configuration, Defender for Cloud cannot ingest third-party scanner data.

Exam trap

The trap here is that candidates assume Defender for Cloud automatically integrates with any third-party scanner or that enabling MDVM will bridge to third-party tools, when in fact a specific agent installation and connector configuration is required for third-party solutions.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender Vulnerability Management (MDVM) is a built-in solution that does not automatically integrate with third-party scanners; it is a separate offering that replaces the need for third-party tools, not a bridge to them. Option C is wrong because automatic provisioning of the Log Analytics agent and enabling vulnerability assessment in the regulatory compliance dashboard does not integrate a third-party scanner; it only enables built-in vulnerability assessment or MDVM, not Qualys. Option D is wrong because Defender for Cloud does not automatically scan all Azure VMs using an integrated Qualys scanner; it uses its own built-in vulnerability assessment or requires explicit integration of a third-party solution.

88
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to automatically disable the local administrative account on all existing and future Azure virtual machines by applying a guest configuration policy. Which Defender for Cloud feature should they use?

A.Just-In-Time (JIT) VM access
B.Guest configuration (Azure Policy)
C.Adaptive application controls
D.Regulatory compliance dashboard
AnswerB

Guest configuration policies can audit and remediate settings inside VMs, such as disabling local accounts.

Why this answer

Option B is correct because Guest configuration (Azure Policy) is the only feature that can audit and remediate settings inside a virtual machine's operating system, such as disabling the local administrative account. Defender for Cloud integrates with Azure Policy's guest configuration extension to enforce desired state configurations on both existing and future VMs via policy assignments.

Exam trap

The trap here is confusing network-level access controls (JIT) or application whitelisting (Adaptive application controls) with OS-level configuration management, which is exclusively handled by Guest configuration (Azure Policy).

How to eliminate wrong answers

Option A is wrong because Just-In-Time (JIT) VM access controls network-level access to management ports (e.g., RDP/SSH) and does not modify local user accounts or enforce guest OS configurations. Option C is wrong because Adaptive application controls define allowlists for applications running on VMs to prevent malware, not manage local user accounts or disable administrative privileges. Option D is wrong because the Regulatory compliance dashboard provides visibility into compliance standards (e.g., ISO 27001, NIST) but does not perform any automated remediation or configuration changes on VMs.

89
MCQmedium

A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?

A.Azure Policy for Kubernetes add-on installation to enforce pod security policies.
B.Kubernetes audit logs are automatically streamed to the Log Analytics workspace.
C.Security alerts for container runtime threats, such as privilege escalation in a container.
D.Integration with Microsoft Sentinel for monitoring AKS logs.
AnswerC

Correct. The plan enables advanced threat detection, generating security alerts based on behavioral analytics of cluster activities.

Why this answer

Option C is correct because enabling the Defender for Containers plan in Microsoft Defender for Cloud activates host-level and cluster-level threat detection for AKS, including runtime threat protection. This allows Defender for Cloud to generate security alerts for container-specific threats such as privilege escalation, container breakout, and suspicious process execution within containers, which are not available with just the basic Defender for Cloud enabled on the subscription.

Exam trap

The trap here is that candidates often confuse the general security monitoring capabilities of Defender for Cloud (like audit log streaming or policy enforcement) with the specific runtime threat detection that only the Defender for Containers plan enables, leading them to select options that are available without the plan or require separate configuration.

How to eliminate wrong answers

Option A is wrong because Azure Policy for Kubernetes add-on installation is a feature of Azure Policy itself, not of the Defender for Containers plan; it can be used to enforce pod security policies (e.g., via built-in initiatives) regardless of whether the Defender for Containers plan is enabled. Option B is wrong because Kubernetes audit logs are automatically streamed to the Log Analytics workspace only if you configure diagnostic settings on the AKS cluster to send them to a Log Analytics workspace; this is not an automatic behavior triggered by enabling the Defender for Containers plan. Option D is wrong because integration with Microsoft Sentinel for monitoring AKS logs is a feature of Sentinel's data connectors, not a capability that becomes available specifically after enabling the Defender for Containers plan; Sentinel can ingest AKS logs via diagnostic settings regardless of the Defender for Containers plan status.

90
MCQmedium

A security analyst in Microsoft Defender for Cloud receives an alert that an Azure VM has a vulnerability with a high severity. The analyst wants to see the detailed finding, including the steps to remediate. Which blade or page should the analyst open?

A.Vulnerability Assessment findings
B.Secure Score
C.Regulatory Compliance
D.Workload protections alerts
AnswerA

Correct. The Vulnerability Assessment findings blade lists all discovered vulnerabilities with details and remediation guidance.

Why this answer

The Vulnerability Assessment findings blade in Microsoft Defender for Cloud displays detailed results from integrated vulnerability scanners (such as Qualys or Microsoft Defender Vulnerability Management), including the specific vulnerability ID, severity, description, and remediation steps. This is the correct location to view the detailed finding and remediation guidance for a high-severity vulnerability on an Azure VM.

Exam trap

The trap here is that candidates confuse the 'Workload protections alerts' blade (which shows active threat detections) with the 'Vulnerability Assessment findings' blade (which shows scan results), leading them to select D instead of A.

How to eliminate wrong answers

Option B (Secure Score) is wrong because Secure Score provides an overall security posture rating based on control recommendations, not the detailed vulnerability findings or remediation steps for a specific alert. Option C (Regulatory Compliance) is wrong because Regulatory Compliance shows compliance status against standards like ISO 27001 or SOC 2, not the technical details of a vulnerability finding. Option D (Workload protections alerts) is wrong because that blade lists security alerts (e.g., detected threats), not vulnerability assessment findings; alerts are generated from detections, whereas vulnerability findings come from scanning.

91
MCQmedium

A company has enabled Microsoft Defender for Cloud on multiple Azure subscriptions. The security team wants to view a unified security score that aggregates the scores from all subscriptions. Which feature should they use?

A.Azure Policy compliance dashboard
B.Secure Score dashboard
C.Security alerts dashboard
D.Workload protection dashboard
AnswerB

This dashboard aggregates scores from multiple subscriptions into a single metric.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud aggregates the security scores from all selected subscriptions into a single, unified score. This allows the security team to view the overall security posture across multiple Azure subscriptions at a glance, based on the compliance status of security recommendations.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard with the Security alerts dashboard, thinking alerts contribute to the score, but the Secure Score is purely based on recommendation compliance, not active threats.

How to eliminate wrong answers

Option A is wrong because the Azure Policy compliance dashboard shows the compliance state of resources against assigned policies, not a unified security score. Option C is wrong because the Security alerts dashboard lists active security alerts and incidents, not aggregated security scores. Option D is wrong because the Workload protection dashboard focuses on the coverage and status of workload protection plans (e.g., Defender for Servers, Defender for SQL), not a consolidated security score.

92
MCQeasy

In Microsoft Defender for Cloud, what does the Secure Score represent?

A.The number of currently active security alerts.
B.The percentage of compliance with the Azure Security Benchmark.
C.The overall security posture of your resources, based on implemented security controls and recommendations.
D.The number of VMs that have been assessed for vulnerabilities.
AnswerC

Secure Score is a percentage (0-100%) that reflects how well you have implemented security best practices.

Why this answer

The Secure Score in Microsoft Defender for Cloud is a numeric representation of your overall security posture, calculated based on the implementation of security controls and the remediation of recommendations. It aggregates the status of all assessed resources against security best practices, providing a single score that reflects how well you are protecting your workloads. This score helps prioritize actions to improve security, as each recommendation contributes a specific number of points toward the total possible score.

Exam trap

The trap here is that candidates often confuse the Secure Score with a simple compliance percentage or a count of alerts, but Microsoft specifically designed it as a posture metric that reflects the implementation of security controls, not just compliance with a single benchmark or the number of threats detected.

How to eliminate wrong answers

Option A is wrong because the Secure Score does not represent the number of active security alerts; active alerts are tracked separately in the Security Alerts dashboard and do not directly influence the score calculation. Option B is wrong because while the Secure Score is aligned with the Azure Security Benchmark, it is not a percentage of compliance with that benchmark; instead, it is a weighted score based on the implementation of security controls and recommendations across multiple benchmarks and standards. Option D is wrong because the Secure Score is not limited to VM vulnerability assessments; it encompasses all supported resource types (e.g., storage accounts, SQL servers, containers) and their associated security controls.

93
MCQmedium

A company uses Microsoft Defender for Cloud to protect their Azure resources. They have enabled the enhanced security features on a subscription that contains several Azure SQL databases. They want to be alerted if a user attempts to perform SQL injection attacks against these databases. Which Defender for Cloud plan specifically enables SQL injection detection alerts?

A.Defender for Servers
B.Defender for SQL
C.Defender for App Service
D.Defender for Storage
AnswerB

Defender for SQL is the plan that provides security alerts for SQL databases, including SQL injection attempts.

Why this answer

Defender for SQL is the specific Microsoft Defender for Cloud plan that provides SQL-specific threat detection, including alerts for SQL injection attacks. This plan monitors SQL databases for anomalous activities such as SQL injection attempts, brute-force attacks, and unusual access patterns by analyzing query logs and audit records. Enabling Defender for SQL on the subscription activates these detection capabilities for Azure SQL databases, making it the correct choice for the scenario.

Exam trap

The trap here is that candidates may confuse Defender for App Service with SQL injection detection because App Service can host web applications that are vulnerable to SQL injection, but the question specifically asks for the plan that enables detection alerts against the SQL databases themselves, not the web layer.

How to eliminate wrong answers

Option A is wrong because Defender for Servers focuses on protecting virtual machines and servers, not Azure SQL databases, and does not include SQL injection detection. Option C is wrong because Defender for App Service is designed to protect web applications and APIs running on Azure App Service, not SQL databases, and its threat detection centers on web application attacks like DDoS or cross-site scripting. Option D is wrong because Defender for Storage protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage from threats like malware uploads or anonymous access, but it does not monitor SQL databases or detect SQL injection attacks.

94
MCQeasy

A company uses Microsoft Defender for Cloud to secure its Azure environment. The security team wants to receive notifications via email whenever a high-severity security alert is generated. What should they configure in Defender for Cloud?

A.Enable the 'Continuous Export' feature to send alerts to a Log Analytics workspace.
B.Configure an alert rule in Azure Monitor.
C.Set up email notifications for high-severity alerts in the Defender for Cloud environment settings.
D.Create an automation rule in Microsoft Sentinel.
AnswerC

This is the correct approach. In Defender for Cloud, you can configure email notifications under the environment settings to send alerts to specified security contacts.

Why this answer

Option C is correct because Defender for Cloud provides a built-in email notification configuration specifically for security alerts. By navigating to the 'Environment settings' for the subscription or management group, then selecting 'Email notifications', you can enable and configure alerts to be sent to specified recipients when high-severity alerts are generated. This is the direct, purpose-built method for email notification of Defender for Cloud alerts without requiring additional services.

Exam trap

The trap here is that candidates often confuse the purpose of 'Continuous Export' (which is for data export, not direct notification) or assume that Azure Monitor alert rules are the universal mechanism for all Azure alerts, overlooking Defender for Cloud's dedicated email notification settings.

How to eliminate wrong answers

Option A is wrong because 'Continuous Export' streams security alerts and recommendations to a Log Analytics workspace or Event Hubs for integration with other tools (e.g., SIEM), but it does not directly send email notifications; it requires additional logic (e.g., Azure Monitor alerts or Logic Apps) to trigger emails. Option B is wrong because Azure Monitor alert rules are designed for metrics, logs, and activity logs, not for Defender for Cloud security alerts; while you can create a custom alert rule using Log Analytics data if Continuous Export is enabled, this is an indirect, extra-step approach, not the native configuration for Defender for Cloud email notifications. Option D is wrong because automation rules in Microsoft Sentinel are used to automate incident management and response within Sentinel, not to configure email notifications for Defender for Cloud alerts; Sentinel can ingest Defender for Cloud alerts, but the email notification setting is a Defender for Cloud feature, not a Sentinel one.

95
Multi-Selectmedium

Which of the following resource types are supported by Microsoft Defender for Cloud's workload protection plans? (Select all that apply.) (Choose 3.)

Select 3 answers
A.Azure virtual machines
B.Azure SQL databases
C.On-premises servers connected via Azure Arc
D.Azure Logic Apps
AnswersA, B, C

Defender for Servers plan protects Azure VMs, including threat detection and vulnerability assessment.

Why this answer

Microsoft Defender for Cloud's workload protection plans support Azure virtual machines by providing integrated threat detection and advanced security features like just-in-time VM access, file integrity monitoring, and vulnerability assessments. These capabilities leverage the Microsoft Monitoring Agent or Azure Monitor Agent to analyze security events and detect suspicious activities within the VM's operating system and network traffic.

Exam trap

The trap here is that candidates often assume all Azure resource types are covered by the same workload protection plan, but Microsoft specifically scopes these plans to compute, data, and hybrid workloads, excluding serverless or integration services like Logic Apps which require separate Defender plans.

96
MCQhard

An organization needs to meet PCI DSS compliance requirements and also enforce a custom policy requiring that encryption keys be stored in a specific Azure Key Vault. The security administrator wants to view a unified compliance score that includes both the built-in PCI DSS standard and the custom policy. What should the administrator do in Microsoft Defender for Cloud?

A.Assign the built-in PCI DSS regulatory compliance standard and add a custom policy through Azure Policy
B.Create a custom initiative that includes the PCI DSS built-in policy set and the custom key vault policy, then assign it to the scope
C.Use Azure Blueprints to deploy the PCI DSS standard and custom policies
D.Enable the Secure Score dashboard to measure compliance
AnswerB

Custom initiatives allow combining multiple policy definitions, including from regulatory compliance standards, into a single assignable set that appears in the regulatory compliance dashboard.

Why this answer

Option B is correct because Microsoft Defender for Cloud's regulatory compliance dashboard can only display a unified compliance score when all relevant standards and custom policies are grouped into a single initiative. By creating a custom initiative that includes both the built-in PCI DSS policy set and the custom Key Vault policy, then assigning that initiative to the scope, the administrator ensures the compliance score reflects both requirements in one view.

Exam trap

The trap here is that candidates assume simply assigning the built-in standard and adding a custom policy separately will merge their scores, but Defender for Cloud requires all policies to be part of the same initiative for a unified compliance score.

How to eliminate wrong answers

Option A is wrong because simply assigning the built-in PCI DSS standard and adding a custom policy through Azure Policy does not merge them into a single compliance score; the custom policy would appear separately and not contribute to the unified score. Option C is wrong because Azure Blueprints is a deployment and orchestration tool, not a compliance scoring mechanism; it cannot aggregate compliance data into Defender for Cloud's regulatory compliance dashboard. Option D is wrong because the Secure Score dashboard measures security posture based on security controls, not regulatory or custom policy compliance; it does not include PCI DSS or custom key vault policies.

97
MCQeasy

A company wants to be alerted when a virtual machine is exposed to the internet through a permissive network security group rule. Which Microsoft Defender for Cloud feature provides recommendations and alerts for such misconfigurations?

A.Adaptive network hardening
B.Just-in-time VM access
C.File integrity monitoring
D.Application controls
AnswerA

Adaptive network hardening uses machine learning to analyze traffic patterns and recommends NSG rule changes, alerting on internet-exposed VMs due to overly permissive rules.

Why this answer

Adaptive network hardening (ANH) in Microsoft Defender for Cloud analyzes actual traffic patterns, NSG rules, and internet-facing endpoints to identify overly permissive rules that expose VMs to the internet. It then provides actionable recommendations to tighten those rules and can generate security alerts when such misconfigurations are detected. This directly matches the requirement for alerts on internet exposure via permissive NSG rules.

Exam trap

The trap here is confusing a feature that actively controls access (like JIT VM access) with one that detects and alerts on existing misconfigurations (adaptive network hardening), leading candidates to choose JIT because it also deals with internet exposure, but it does not generate alerts for permissive NSG rules.

How to eliminate wrong answers

Option B (Just-in-time VM access) is wrong because it controls inbound access by temporarily opening ports only when needed, but it does not analyze existing NSG rules for permissive internet exposure or generate alerts for misconfigurations. Option C (File integrity monitoring) is wrong because it monitors changes to critical files, registry keys, and system files for compliance and forensic purposes, not network security group rules or internet exposure. Option D (Application controls) is wrong because it uses allow/deny lists to control which applications can run on VMs, focusing on executable and script control, not network security group rule analysis or internet exposure alerts.

98
MCQmedium

A company uses Microsoft Defender for Cloud with Defender for Containers enabled. The security team wants to view security alerts generated for their Azure Kubernetes Service (AKS) clusters. Where should they navigate to see these alerts?

A.In the Microsoft Defender for Cloud 'Security alerts' page.
B.In Microsoft Sentinel incidents.
C.In the Microsoft 365 Defender portal.
D.In Azure Monitor alerts.
AnswerA

Correct. All Defender for Cloud alerts, including those for containers, are listed in the Security alerts blade.

Why this answer

Microsoft Defender for Cloud is the central console for security alerts generated by Defender for Containers, including those for AKS clusters. The 'Security alerts' page within Defender for Cloud aggregates all cloud workload protection alerts, making it the correct location to view AKS-specific alerts. Alerts from Defender for Containers are automatically surfaced here without additional configuration.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal (unified for Microsoft 365 security) with Defender for Cloud (for cloud workloads), leading them to choose Option C instead of the correct Azure-native security alerts page.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel incidents require a separate SIEM integration and are not the native location for Defender for Cloud alerts; alerts must be forwarded via connector to appear there. Option C is wrong because the Microsoft 365 Defender portal focuses on endpoint, email, and identity threats, not cloud workload alerts from AKS. Option D is wrong because Azure Monitor alerts are designed for infrastructure metrics and logs, not the security-specific, contextual alerts generated by Defender for Cloud's threat detection engines.

99
MCQeasy

A security operations analyst is reviewing recommendations in Microsoft Defender for Cloud. For a virtual machine that is missing critical security updates, which recommendation category will highlight this issue?

A.Secure score
B.Regulatory compliance
C.Workload protections
D.Inventory
AnswerA

Secure score includes recommendations for remediating vulnerabilities like missing critical updates.

Why this answer

In Microsoft Defender for Cloud, the Secure score category directly reflects the security posture of your resources by tracking the implementation of security recommendations. Missing critical security updates on a virtual machine are flagged as a recommendation within this category, and resolving them improves your secure score percentage. This is because secure score is calculated based on the compliance status of each recommendation, with missing updates being a key control for vulnerability management.

Exam trap

The trap here is that candidates often confuse the 'Regulatory compliance' category with security update tracking, but regulatory compliance only shows compliance with specific standards, not the operational status of missing patches.

How to eliminate wrong answers

Option B is wrong because Regulatory compliance focuses on aligning your environment with specific compliance standards (e.g., ISO 27001, SOC 2) and does not directly surface missing security updates as a standalone recommendation category. Option C is wrong because Workload protections is a category for enabling and managing advanced threat protection plans (e.g., Defender for Servers, Defender for SQL) and does not list individual missing update recommendations. Option D is wrong because Inventory provides a list of all resources and their metadata, but it does not categorize or prioritize missing security updates as a recommendation; it is a resource discovery tool, not a recommendation category.

100
MCQhard

A global organization has Azure subscriptions organized under a single management group. The security team wants to ensure that the Azure Security Benchmark initiative is assigned once to cover all current and future subscriptions within that management group, without needing to assign it individually. They also want to see compliance results aggregated at the management group level. In Microsoft Defender for Cloud, what is the correct approach to achieve this?

A.Assign the Azure Security Benchmark initiative directly to the management group via Azure Policy, and use the Defender for Cloud's Regulatory Compliance dashboard.
B.Enable Defender for Cloud's enhanced security features on each subscription, and the benchmark will be automatically applied.
C.Create a custom assessment in Defender for Cloud that queries the management group scope.
D.Assign the initiative to the root management group using Azure Policy, then configure Defender for Cloud to ignore individual subscription assignments.
AnswerA

Assigning the initiative at the management group scope applies it to all subscriptions within, and the Regulatory Compliance dashboard shows aggregated results for that scope.

Why this answer

Assigning the Azure Security Benchmark initiative directly to the management group via Azure Policy ensures that the policy initiative is inherited by all current and future subscriptions under that management group. Defender for Cloud's Regulatory Compliance dashboard then aggregates compliance results at the management group level, providing a single view of compliance across the entire hierarchy without requiring individual assignments.

Exam trap

The trap here is that candidates may think enabling enhanced security features in Defender for Cloud automatically applies the Azure Security Benchmark, but in reality, the benchmark must be explicitly assigned as a policy initiative, and the management group scope is the correct way to cover all subscriptions.

How to eliminate wrong answers

Option B is wrong because enabling Defender for Cloud's enhanced security features on each subscription does not automatically assign the Azure Security Benchmark initiative; the benchmark must be explicitly assigned via Azure Policy. Option C is wrong because creating a custom assessment in Defender for Cloud that queries the management group scope does not enforce the Azure Security Benchmark initiative across subscriptions; it only provides a custom query without policy-driven compliance evaluation. Option D is wrong because assigning the initiative to the root management group would cover all subscriptions, but configuring Defender for Cloud to ignore individual subscription assignments is unnecessary and not a supported configuration; the correct approach is to assign directly to the target management group.

101
MCQmedium

A company has several Azure virtual machines running SQL Server (IaaS). The security team wants to enable Advanced Threat Protection for these SQL Server instances to detect threats like SQL injection. What should they do?

A.Deploy the SQL Server IaaS Agent extension on each VM and enable Azure Defender for SQL in Microsoft Defender for Cloud.
B.Enable Azure Defender for Servers on the subscription; it automatically protects SQL Server workloads.
C.Enable Azure Defender for SQL on the Log Analytics workspace used by the VMs.
D.Configure the Microsoft Sentinel SQL connector to ingest SQL audit logs.
AnswerA

Correct. The SQL IaaS Agent extension registers the VM with the SQL resource provider. After that, enabling Azure Defender for SQL (under Defender for Cloud plans) provides Advanced Threat Protection and vulnerability assessment for the SQL Server instances.

Why this answer

To enable Advanced Threat Protection for SQL Server IaaS, you must deploy the SQL Server IaaS Agent extension on each VM, which allows the VM to register with the SQL IaaS platform. Then, you enable Azure Defender for SQL in Microsoft Defender for Cloud, which provides threat detection for SQL injection and other anomalous activities. This combination ensures the SQL Server instances are monitored by Defender for Cloud's SQL-specific protections.

Exam trap

The trap here is that candidates often confuse Azure Defender for Servers with Azure Defender for SQL, assuming server-level protection automatically covers SQL workloads, but SQL-specific threat detection requires the dedicated SQL Defender plan and the IaaS Agent extension.

How to eliminate wrong answers

Option B is wrong because Azure Defender for Servers protects the VM's operating system and network, but it does not automatically enable SQL-specific threat detection like SQL injection; you need Azure Defender for SQL for that. Option C is wrong because Azure Defender for SQL is enabled at the subscription or workspace level for PaaS SQL databases, not for SQL Server IaaS VMs, which require the IaaS Agent extension. Option D is wrong because the Microsoft Sentinel SQL connector ingests audit logs for analysis in Sentinel, but it does not enable Advanced Threat Protection or real-time threat detection for SQL Server IaaS; that requires Defender for SQL.

102
MCQeasy

A company enables Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing and future Azure VMs have Just-In-Time (JIT) VM access configured. Which of the following actions must the team take first to enable JIT for VMs?

A.Enable the 'Just-In-Time VM access' plan in Microsoft Defender for Cloud's environment settings
B.Configure a network security group (NSG) to allow RDP traffic from a specific IP range
C.Create a security policy assignment to block all inbound RDP traffic
D.Install the Log Analytics agent on all VMs
AnswerA

JIT must be enabled first; then VMs can be configured and requests can be made.

Why this answer

Option A is correct because enabling the 'Just-In-Time VM access' plan in Microsoft Defender for Cloud's environment settings is the prerequisite step that activates the JIT feature for the subscription. Without this plan enabled, Defender for Cloud cannot enforce JIT policies on any VMs, regardless of NSG or agent configurations.

Exam trap

The trap here is that candidates often think JIT requires an agent or manual NSG configuration, but the first step is always enabling the plan in Defender for Cloud's environment settings, as JIT is a cloud-level policy feature, not a VM-level agent-based one.

How to eliminate wrong answers

Option B is wrong because configuring an NSG to allow RDP from a specific IP range is a manual access control method, not the first step to enable JIT; JIT itself dynamically manages NSG rules. Option C is wrong because creating a security policy to block all inbound RDP traffic would prevent JIT from opening ports on demand, as JIT requires the ability to temporarily allow traffic. Option D is wrong because the Log Analytics agent is not required for JIT VM access; JIT works through Azure Resource Manager and NSG rules, not agent-based monitoring.

103
MCQmedium

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. Which action should they take in Microsoft Defender for Cloud?

A.Enable 'Microsoft Defender for Servers' plan and check the 'Vulnerability assessment' option in the environment settings
B.Install the Log Analytics agent and configure the Qualys connector on each VM
C.Create a policy assignment from the built-in initiative 'Enable Azure Monitor for VMs'
D.Enable 'Servers' workload protection in Defender for Cloud and then manually deploy the VA agent to each existing VM using Azure Policy
AnswerA

This enables Defender for Servers at the subscription level, which includes the integrated vulnerability assessment solution. It automatically applies to all current and future VMs.

Why this answer

To enable vulnerability assessment for all existing and future Azure VMs using the integrated Microsoft Defender Vulnerability Management solution, you must enable the 'Microsoft Defender for Servers' plan in Defender for Cloud and then check the 'Vulnerability assessment' option within the environment settings. This action activates the built-in, agentless vulnerability assessment engine that is part of Defender for Cloud, automatically scanning VMs without requiring additional agents or manual deployment.

Exam trap

The trap here is that candidates often confuse enabling 'Microsoft Defender for Servers' (which provides general threat protection) with the separate 'Vulnerability assessment' toggle that must be explicitly checked to activate the integrated vulnerability scanning, leading them to select option D which only mentions enabling workload protection.

How to eliminate wrong answers

Option B is wrong because installing the Log Analytics agent and configuring the Qualys connector is a legacy approach for vulnerability assessment that requires a third-party solution and manual per-VM configuration, not the integrated Microsoft Defender Vulnerability Management solution. Option C is wrong because creating a policy assignment from 'Enable Azure Monitor for VMs' enables VM insights and Log Analytics agent deployment, not vulnerability assessment via Defender for Cloud. Option D is wrong because enabling 'Servers' workload protection alone does not automatically enable vulnerability assessment; you must also check the 'Vulnerability assessment' option, and manually deploying the VA agent is unnecessary when the integrated solution is agentless.

104
MCQmedium

A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team receives an alert indicating that a VM is communicating with a known malicious IP address. Which Defender for Cloud feature can be used to automatically block outbound traffic to that IP address by adjusting the network security group (NSG)?

A.Adaptive application controls
B.Just-in-time VM access
C.Adaptive network hardening
D.File integrity monitoring
AnswerC

Adaptive network hardening analyzes network traffic and NSG rules to harden them against threats, including blocking outbound traffic to malicious IPs.

Why this answer

Adaptive network hardening (C) is the correct feature because it uses machine learning to analyze traffic patterns and recommend NSG rules to restrict traffic to known trusted sources. When a VM communicates with a malicious IP, adaptive network hardening can automatically create a deny rule in the NSG to block outbound traffic to that IP, reducing the attack surface without manual intervention.

Exam trap

The trap here is that candidates confuse 'adaptive network hardening' with 'just-in-time VM access' because both involve NSG adjustments, but JIT only manages inbound ports while adaptive network hardening handles both inbound and outbound traffic based on threat intelligence.

How to eliminate wrong answers

Option A is wrong because adaptive application controls are designed to control which applications can run on a VM, not to block network traffic to specific IP addresses. Option B is wrong because just-in-time VM access reduces the attack surface by locking down inbound ports to a VM and opening them only when needed, but it does not block outbound traffic to malicious IPs. Option D is wrong because file integrity monitoring tracks changes to critical files and registry settings, not network traffic or IP-based blocking.

← PreviousPage 2 of 2 · 104 questions total

Ready to test yourself?

Try a timed practice session using only Mitigate Threats Using Microsoft Defender For Cloud questions.