You have a Microsoft 365 E5 subscription.
You plan to deploy Microsoft Defender for Cloud Apps.
You need to create a policy that will implement data loss prevention (DLP).
Which two types of policies should you create? Each correct answer presents part of the solution.
Select all answers that apply.
access policy
app discovery policy
file policy
session policy
C & D
A File policy is used to scan and enforce DLP on files that are already stored in your cloud apps.
A Session policy is used for real-time monitoring and control of user activity within your cloud applications. It is particularly effective for preventing data exfiltration.
For true DLP, you need File policies to manage data at rest and Session policies to manage data in transit and control in-session activities.
NOT
App discovery policies are focused on Shadow IT management and visibility, not data protection.
Access policies are designed for access control and authentication management
You have a Microsoft Sentinel workspace.
You need to create an analytics rule that will use entity mapping.
Which type of rule should you create?
Select only one answer.
anomaly
fusion
machine learning (ML) behavioral analytics
scheduled
D
Microsoft Sentinel includes 4 main types of analytical rules.
Scheduled
Near Real time NRT
Anomoly
Microsoft Security rules
Entity Mapping- a feature in analytics rules that links data fields from a query to specific entity types, such as accounts, IP addresses, hosts, or files
Will a parser work with a filter by time?
No
The query that uses the parser will apply the required time range.
You have a Microsoft Sentinel workspace.
You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.
Which two actions can you perform? Each answer presents a complete solution.
Select all answers that apply.
Build a custom unifying parser and include the built-in parser version.
Create a hunting query and reference the built-in parser.
Create an analytics rule and include the built-in parser.
Redeploy the built-in parser and specify a CallerContext value of Any and a SourceSpecificParser value of Any.
Redeploy the built-in parser and specify a CallerContext value of Built-in.
A & D
By using a unifying Parser, you can “lock in” the version
Add a new record to the ASimDisabledParsers watchlist.
Define the CallerContext value as Exclude<parser>, where <parser> is the name of the unifying parser from which you want to exclude a source-specific parser.
Define the SourceSpecificParser value as Exclude<parser>, where <parser> is the name of the source-specific parser you want to exclude (without a version specifier).</parser></parser></parser></parser>
Parser’s
ASi - prefix for source specific parser (parameter-less parsers)
ASim - unifying parsers, It does not accept filtering parameters
im - unifying parser that supports filtering parameters
vim - source-specific parsers that accept filtering parameters
Im - Microsoft’s built-in unifying parsers. The underscore indicates that it is a system-provided function.
Where to access DLP alerts
Purview compliance portal & Defender portal
User1 leaves the company, and the user’s account is deleted.
You need to identify whether User1 downloaded files from Site1 during the 30 days before the account was deleted.
Which type of policy should you create?
a Microsoft Defender for Cloud Apps file policy
a Microsoft Defender for Office 365 alert policy
a Microsoft Purview insider risk management policy
This answer is correct.
a Microsoft Entra Governance access review
C
you can create an insider risk policy that triggers an alert if suspicious activity, such as mass file download, is detected up to 90 days before a user account is deleted.
Your company uses Microsoft Defender for Cloud.
During a 24-hour period, Defender for Cloud generates the following alerts:
12 low-severity alerts
Six medium-severity alerts
Three high-severity alerts
What is the maximum number of email notifications that Defender for Cloud will send during the 24 hours?
Select only one answer.
3
6
9
12
21
B
Default max notifications for Defender for Cloud:
High Severity - 1 per 6 hours
Medium Severity - 1 per 12 hours
Low severity - 1 per 24 hours
You have a Microsoft Sentinel workspace.
You need to investigate incidents by using the Microsoft Sentinel investigation graph.
What is the maximum age of the incidents that can be investigated by using the investigation graph?
Select only one answer.
7 days
14 days
30 days
90 days
C
30 is the max within Sentinel
Within an investigation graph, what is shown when you hover over an entry or VM?
if you hover your mouse over Azure virtual machine, you will get the list of running processes on that virtual machine.
Within Sentinel workspace testing a playbook from an alert
Incidents
You have an Azure subscription that contains a resource group named RG1 and a Microsoft Sentinel workspace.
In RG1, you create a playbook named Play1.
You need to ensure that the Azure Security Insights identity can run Play1. The solution must follow the principle of least privilege.
What should you do?
Select only one answer.
Delegate the Logic App Contributor role on Play1.
Delegate the Logic App Contributor role on RG1.
Delegate the Microsoft Sentinel Automation Contributor role on Play1.
Delegate the Microsoft Sentinel Automation Contributor role on RG1.
D
You must delegate Microsoft Sentinel Automation Contributor role to the Azure Security Insights identity on the resource group in which the playbook is deployed. If you delegate a role on the playbook itself or delegate the Logic App Contributor role, the playbook still cannot be selected in Microsoft Sentinel (it is unavailable).
Defender for Endpoint capabilities
Attack surface reduction –– Provides rules to target certain software behaviors, such as launching executable files and scripts and running unsigned processes.
Block at first site –– A threat protection feature that detects new malware and blocks it within seconds.
Controlled folder access –– Protects data by checking apps against a list of known and trusted apps.
Exploit protection –– Helps protect against malware that uses exploits to infect devices and spread.
You have an Azure Storage account named storage1 that contains the following resources:
A blob container named container1
A file share named share1
A queue named queue1
A table named table1
You enable Microsoft Defender for Cloud for storage1.
Which resources will be protected?
Select only one answer.
container1 and share1 only
container1 only
container1, share1, and table1 only
container, share1, queue1, and table1
share1 only
A
Defender for Cloud includes Microsoft Defender for Storage
Defender for Storage continually analyzes the telemetry stream generated by the Azure Blob storage and Azure Files services, but not queues and tables
You have the following cloud environments:
An Azure subscription that uses Microsoft Defender for Cloud
A Microsoft 365 tenant.
An Amazon Web Services (AWS) account
A Google Cloud Platform (GCP) project
You need to ensure that you can use Defender for Cloud to perform Cloud Security Posture Management (CSPM) for the environments.
Which environments will require that a connector be deployed?
AWS & GCP
What is required for a new Sentinel Workspace?
an Azure subscription, a Microsoft Entra tenant, and a Log Analytics workspace
Your on-premises network contains multiple devices that provide logs in Common Event Format (CEF).
You have an Azure subscription and a Microsoft Sentinel workspace named Workspace1.
You need to ingest the logs from the devices into Workspace1.
What should you do first?
Select only one answer.
Add the Security Events via Legacy Agent data connector in Microsoft Sentinel.
Add the Syslog data connector in Microsoft Sentinel.
Deploy a computer that runs Linux.
Deploy a server that runs Windows Server.
C
To ingest Syslog and CEF logs into Microsoft Sentinel, particularly from devices and appliances onto which you cannot install the Log Analytics agent directly, you must designate and configure a Linux machine that will collect the logs from your devices and forward them to your Microsoft Sentinel workspace. This machine can be a physical or a virtual machine in your on-premises environment, an Azure virtual machine, or a virtual machine in another cloud.
You have a Microsoft Sentinel workspace.
You plan to deploy a Syslog data connector in Microsoft Sentinel.
You download an agent to a computer that runs Linux.
You need to onboard the agent to Microsoft Sentinel.
Which information do you need?
Select only one answer.
the Azure subscription ID and the name of the Microsoft Sentinel workspace
the Azure subscription ID and the workspace primary key
the Microsoft Sentinel workspace ID and the workspace secondary key
the name of the Microsoft Sentinel workspace and the credentials of the user assigned the Microsoft Sentinel Reader role
C
During installation of the agent, you must provide the workspace ID and the primary or secondary key of the workspace to install the agent.
Key Properties for Microsoft Defender XDR Custom Detection Rules
All custom detection rules require a Timestamp and a unique event identifier.
Timestamp (or TimeGenerated) Sets the time of the alert. N/A (Rule won’t save without it)
ReportId Unique ID for the specific event record. Links back to raw event data DeviceId Unique ID for the impacted device. Isolates device, runs AV scan AccountUpn User Principal Name (UPN). Mark user as compromised, disable user
AccountObjectId Microsoft Entra Object ID. Mark user as compromised, disable user
AccountSid Account Security Identifier. Mark user as compromised, disable user
RecipientEmailAddress Email address of the recipient. Soft delete email, move to junk
NetworkMessageId Unique ID for the email message. Soft delete email, move to junk
SenderFromAddress The sender’s email address. Soft delete email, move to junk
What can you start a livestream from?
a hunting query
You have a Microsoft Sentinel workspace that has the following data connectors configured:
SigninLogs
AuditLogs
SecurityAlerts
You need to create a query that will look for an IP address across the three configured data tables and return the matching rows.
Which operator should you use?
Select only one answer.
extend
join
lookup
union
D
The union operator takes two or more tables and returns the rows from all of them.
The join operator merges the rows of two tables to form a new table by matching the specified columns’ values from each table.
The extend operator creates calculated columns and appends the new columns to the result set.
The lookup operator extends the columns of a fact table with looked-up values from a dimension table.
You have a Microsoft Sentinel workspace.
You plan to add a workbook to Microsoft Sentinel.
You create a workbook query.
You need to display the query results in a time chart.
Which keyword should you include in the query?
Select only one answer.
extend
project
render
summarize
D
In KQL, the render keyword renders results as graphical output.
Workbook templates
Security Operations Efficiency -
Tracks Key Performance Indicators (KPIs) related to your SOC team’s performance, such as incident metrics, time-to-triage, and mean time to resolution (MTTR). This is used to measure and improve SOC effectiveness. EX: MTTR 15% down this quarter
Data collection-
health monitoring Monitors the health and status of data connectors and log ingestion within Microsoft Sentinel to ensure that all expected logs are being ingested correctly and on time EX: new data source fails to show data
Identity & Access -
Provides visibility into user sign-ins, identity-related threats, and access patterns. EX: investigate a cluster of failed sign in attempts
Incident Overview -
Offers a high-level summary and detailed view of all active and past incidents. EX: tier 1 analyst daily starting point (incidnets assigned and unassigned)
Azure Activity -
Visualizes all subscription-level resource creation and management events (control plane logs). EX: suspicous resource deployment
Azure Security Benchmark -
Maps ingested data against the controls and recommendations defined in the Azure Security Benchmark (ASB). EX: show compliance posture evidence
