Questions

Question 1

What is the default retentian period for Defender for Endpoint data? And what is the minimum retentian that can be set?

Answer 1

180 is the default, and 30 days is the minimum

Question 2

A user needs to be able to view incidents and manage playbooks within Microsoft Sentinel. Which combination of roles should be assigned to fulfill this requirement?

Microsoft Sentinel Responder and Microsoft Sentinel Automation Contributor
Microsoft Sentinel Contributor and Microsoft Sentinel Responder
Microsoft Sentinel Reader and Logic App Contributor

Answer 2

C

Question 3

Which role should be granted to a user to allow them to configure Microsoft Sentinel to run playbooks without granting them permissions to view or manage incidents?

Microsoft Sentinel Contributor
Microsoft Sentinel Responder
Logic App Contributor

Answer 3

C

Question 4

Your organization wants to configure long-term data retention for Microsoft Sentinel logs beyond the default 30-day retention period. How can you achieve this?

Extend the table’s total retention period up to 12 years.
Configure Basic Logs for extended retention.
Use Auxiliary Logs for extended retention up to two years.

Answer 4

A

Question 5

Which permission level is required to enable Microsoft Sentinel on a workspace?

Owner permissions on the Log Analytics workspace
Contributor permissions on the subscription
Reader permissions on the resource group

Answer 5

A

Question 6

In Threat Intelligence, indicators are considered as which of the following?

Strategic

Operational

Tactical

Answer 6

C

Question 7

What is a Azure subscription?

Answer 7

billing container/ boundary for resources

Question 8

What is a scope?

Answer 8

A scope defines where a role assignment applies, ex: you would assign a user a “reader” role on a single resource group so they only see things there, and not for the whole subscriptionx

Question 9

How many workspaces can be connected to the Defender portal?

Answer 9

1
If you want to connect to a different workspace that has Microsoft Sentinel enabled, disconnect the current workspace and connect the other workspace.

Question 10

Which portal supports the functionality of adding entities to threat intelligence from incidents in Microsoft Sentinel?

Both Azure and Defender portals

Azure portal

Defender portal

Answer 10

B

Question 11

What happens when a workspace is disconnected from the Defender portal in Microsoft Sentinel?

The Microsoft Sentinel section is removed from the left-hand side navigation of the Defender portal

The workspace is deleted from Microsoft Sentinel

Data from Microsoft Sentinel is still included on the Overview page

Answer 11

A

Question 12

Which table (data type) would you query for the Microsoft Entra data?

OfficeActivity

SigninLogs

SecurityAlert

Answer 12

B

Question 13

Which table (data type) would you query for the Microsoft 365 data?

OfficeActivity

SecurityAlert

SigninLogs

Answer 13

A

Question 14

Which table (data type) would you query for the Microsoft Entra ID Protection data?

OfficeActivity

SigninLogs

SecurityAlert

Answer 14

C

Question 15

Which connector do you use to collect Windows security events?

Windows Security Events via AMA

Common Event Format

Syslog

Answer 15

A

Question 16

To collect Sysmon events with the Security Events connector, what is the log name used to collect it in advanced settings?

Microsoft-Windows-Sysmon/Operational

Microsoft-Windows-Sysmon/Events

Microsoft-Windows-Sysmon/Logs

Answer 16

A

Question 17

Which table contains the ingested Sysmon events?

Answer 17

A

Question 18

The CEF connector can be deployed on which platform?

Azure Windows Virtual Machine

On-premises Windows Host

Azure Linux Virtual Machine

Answer 18

C

Question 19

The CEF connector deploys what type of forwarder?

Syslog

Event

Sysmon

Answer 19

A

Question 20

The CEF connector writes to which table?

CommonSecurityLog

SecurityEvent

Syslog

Question 21

Log Analytics supports collecting messages sent by what daemons?

Answer 21

rsyslog or syslog-ng

Question 22

What port does local Syslog deamon forward to? Sending from local host to Azure Monitor Agent for Linux then to Log Analytics workspace.

Answer 22

TCP port 25224 then over HTTP to Log Analytics workspace

Question 23

To create a parser in the Log query window, save the query as which of the following?

Module

Function

Table

Answer 23

B

Question 24

MDTI

Answer 24

Microsoft Defender Threat Intelligence

Question 25

. What table do you query in KQL to view your indicators? "Indicator" "TIIndicator" "ThreatIntelligenceIndicator"

Answer 25

C

Question 26

Which version of TAXII is supported?

Answer 26

2.0 & 2.1

Question 27

Threat Intelligence Upload API uses which technology to authenticate with Microsoft Entra ID? Microsoft Azure managed identities Multifactor authentication OAuth 2.0 authentication

Answer 27

C

Question 28

Which one of the following template rules are precreated in Microsoft Sentinel Analytics? Scheduled template rules Scheduled template rules are not precreated in Microsoft Sentinel Analytics. Scheduled template rules Fusion Machine Learning

Answer 28

B

Question 29

What actions can you performe on analytics rules?

Answer 29

Edit Disable Duplicate Delete

Question 30

What is the most efficient way to edit an existing analytic rule? Delete and recreate the alert with the new logic. Duplicate the rule and modify to achieve the necessary changes. Create a new rule.

Answer 30

B

Question 31

Where to access Automation Rules

Answer 31

in the new Automation blade (which replaces the Playbooks blade), under the Automation rules tab. (You can also now manage playbooks in this blade, under the Playbooks tab.) (Sentenel)

Question 32

Components of an Automation Rule

Answer 32

Trigger - Automation rules are triggered by the creation of an inciden Conditions - AND/OR/NOT/CONTAINS operators. Actions - Change status of incident, severity of Incident, assign incident, add tag, expiration date, order ( order in which automation rules will run)

Question 33

An administrator needs to create a Microsoft Sentinel playbook. The administrator creates a logic app and starts Logic Apps Designer. Which of the following connector should the administrator use as a trigger to your playbook? Office 365 connector Microsoft Sentinel Connector Microsoft Entra Connector

Answer 33

B Microsoft Sentinel playbooks use a Microsoft Sentinel Logic Apps connector to trigger logic app actions.

Question 34

An administrator creates a new playbook to receive a notification each time a user is delegated the role of Global Administrator. Which connector should the administrator select in the logic app? Microsoft Entra connector. Connector for Office 365. Microsoft Sentinel Connector.

Answer 34

C Microsoft Sentinel playbooks start with a trigger from Microsoft Sentinel Connector.

Question 35

What is dynamic content in a logic app? List of dynamically selected threats. List of dynamic inputs for the current action. List of dynamic users.

Answer 35

B Dynamic Content displays any available outputs from the previous step, which you can use as inputs for the current action.

Question 36

An administrator wants to attach a playbook to an existing incident and starts to investigate the incident. Which option should the administrator select to attach the playbook? New Unassigned Name of Incident

Answer 36

C Yes. When you select the name of the incident, you can start the process to run a playbook on demand in response to an existing incident.

Question 37

Which Microsoft Sentinel component generates alerts? Incidents Analytical Rules Data Connectors Events

Answer 37

B You can configure analytics rules to generate alerts in Microsoft Sentinel

Question 37

ARM

Answer 37

Azure Resource Manager template JSON file used to deploy Azure resources

Question 38

Incident evidence, Events, Alerts, Bookmarks, Incident Entities

Answer 38

Incident evidence - security event information and related Microsoft Sentinel assets that identify threats in the Microsoft Sentinel environment Events - link you back to one or more specific events from the Log Analytics workspace associated with Microsoft Sentinel Alerts Bookmarks - You can preserve the queries run in Log Analytics by choosing one or more events and designating them as bookmarks Incident Entities - network or user resource that's involved with an event

Question 39

Status types for incidents in Sentinel

Answer 39

True Positive - Suspicious activity Benign Positive - Suspicious but expected False Positive - Incorrect alert logic False Positive - Inaccurate data Undetermined

Question 40

To escalate an incident to the next tier security team, which incident parameter should you change? Severity Owner Status Username

Answer 40

B

Question 41

What is an entity?

Answer 41

(currently limited to users and hosts) in a search, an alert, or an investigation, you can select the entity and be taken to an entity page, a datasheet full of useful information about that entity The left-side panel contains the entity's identifying information, collected from data sources like Microsoft Entra ID, Azure Monitor The center panel shows a graphical and textual timeline of notable events related to the entity, such as alerts, bookmarks, and activities The right-side panel presents behavioral insights on the entity

Question 42

What are Entities? Data elements Tables Alerts

Answer 42

A

Question 43

In the timeline of the Entity page, what type of items are an aggregation of notable events relating to the entity? Alerts Activities Bookmarks

Answer 43

B

Question 44

When you're viewing the investigation graph, what option will show Entity Behavior information? Entities Timeline Insights

Answer 44

C

Question 45

ASIM

Answer 45

Advanced Security Information Model is a layer that is located between these diverse sources and the user. ASIM follows the robustness principle: "Be strict in what you send, be flexible in what you accept"

Question 46

Parser hierarchy

Answer 46

ASIM includes two levels of parsers: unifying parser and source-specific parsers The unifying parser name is _Im_Schema for built-in parsers, and imSchema for workspace deployed parsers. Where Schema stands for the specific schema it serves. Unifying parsers, in turn, use source-specific parsers to handle the specific details of each source.

Question 47

available unifying parsers

Answer 47

Authentication- imAuthentication Dns- _Im_Dns File Event- imFileEvent Network Session- _Im_NetworkSession Process Event- imProcessCreate and imProcessTerminate Registry Event- imRegistry Web Session- _Im_WebSession

Question 48

Azure Monitor Data Collection DCRs

Answer 48

Data Collection Rules (DCRs) provide an ETL-like pipeline in Azure Monitor, allowing you to define the way that data coming into Azure Monitor should be handled

Question 49

Types of DCR's in Azure Monitor

Answer 49

Standard DCR. Used with different workflows that send data to Azure Monitor. Workflows currently supported are Azure Monitor agent and custom logs. Workspace transformation DCR. Used with a Log Analytics workspace to apply ingestion-time transformations to workflows that don't currently support DCRs.

Question 50

Azure Monitor Transformations

Answer 50

Transformations in a data collection rule (DCR) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. Data transformations are defined using a Kusto Query Language (KQL) statement that is applied individually to each entry in the data source. It must understand the format of the incoming data and create output in the structure of the target table.