1
Q
What is exposure management?
A
Risk-based approach showing attack paths+ priority mitigation
2
Q
What roles control sentinel access?
A
Reader, contributor, responder, automation contributor and RBAC roles
3
Q
What to consider when planning log retention?
A
Tiering, cost, compliance, searchable archives
4
Q
What is a data connector?
A
Method to ingest security data into sentinel
5
Q
Where are connectors installed?
A
Microsoft sentinel content hub
6
Q
Difference between syslog + CEF
A
Syslog is raw data, CEF is normalized enriched format
7
Q
What service collects syslog/cef events?
A
Azure monitor agent (AMA)
8
Q
What do DCR’S do?
A
Defines which events are collected and where they go
9
Q
What is WEF used for?
A
Forwarding windows event logs from endpoint to collector
10
Q
Why create custom log tables?
A
To ingest custom JSON /csv/text logs
11
Q
How to monitor ingestion health?
A
Connector pages, errors, and ingestion status queries
12
Q
What policies does defender for cloud apps support?
A
Activity, Anatoly, session, o auth governance policies
13
Q
What protections does MDO provide?
A
Safe links, safe attachments, anti-phishing, impersonation protection
14
Q
What are ASR rules used for?
A
Blocking risky behaviors used by malware
15
Q
Where configure ASR rules?
A
Intune, GPS, or Defender portal
16
Q
What are cloud workload protections?
A
Threat detection, recommendations + security posture for cloud resources
17
Q
What is a custom detection rule?
A
A rule based on advanced hunting queries that triggers alerts
18
Q
What is alert suppression?
A
Hiding repetitive alerts based on criteria
19
Q
What is alert correlation?
A
Combining related alerts into a unified incident
20
Q
What are deception rules?
A
Decoys used to detect lateral movement
21
Q
What ave sentinel analytics rules?
A
Rules that detect threats using KQL and create incidents
22
Q
What are entity based rules?
A
Rules that enrich with users, devices and IPs
23
Q
What are ASIM parsers
A
Functions that normalize logs into consistent schemas
24
Q
Why use ASIM?
A
For normalized queues and cross-source compatibility
25
What is behavioral analytics?
ml -based anomaly and risk-detection
26
What does Defender XDR allow during incident response?
Investigate alerts, isolate devices, disable accounts, remediate threats
27
What does automatic attack distribution do during incidents?
Auto-contains attacker-controlled assets
28
What products feed incidents into XDR?
MDE, MDO, MDI, Entra ID, cloud Apps
29
What is the MDE device timeline?
Chronological view of device activity
30
What is five response?
Remote shell for investigation and remediation
31
What is an investigation package?
Forensic evidence bundle from a device
32
What is a unified audit log?
A log of Microsoft 365 activities for investigation
33
What is content search?
Search tool for mail teams and files
34
What are graph activity logs?
API level audit logs for advanced queries
35
What is a sentinel incident?
A correlated group of alerts and evidence
36
What ave automation rules?
Rules that automate triage tasks
37
What are playbooks?
Logic app workflows triggered for response
38
How run playbooks on-prem?
On-premises data gateway
39
What is a promptbook?
A reusable structured prompt sequence
40
What are plugins in security copilot?
Integrations pulling context from Defender, sentinel, etc.
41
What is an SCU?
Security compute unit- cost unit for copilot workloads
42
Do E5 customers get SCU's?
Yes-400 SCU's per 1000 user monthly
43
What language is used for Defender XDR hunting?
Kusto query language (SQL)
44
What is threat analytics?
Reports on emerging threats and mitigation
45
What are custom hunting queries for?
Proactive threat searches
46
What is MITRE attack used for?
Evaluating detection/hunting coverage
47
What are threat indicators?
IOC's like IP's, domains, and hashes
48
What is a hunting query
A KQL query to search for suspicious patterns
49
What are hunting bookmarks?
Saved hunting results for later investigation
50
What is archived log data for?
Low-cost, long-term storage for search jobs
51
What is a search job?
A job scanning archived logs
52
What is a sentinel workbook?
Customizable dashboard for KQL visualization
53
What can workbooks include?
Charts, tables, text, parameters
54
Why use workbook parameters?
To change filters and views dynamically
55
What does automatic attack distribution do in Microsoft Defender XDR?
Automatically identifies and contains compromised assets during active attacks to limit lateral movements and reduce impact
56
Where to view and manage attack distribution containment actions?
Incident page and the action center in Defender XDR
57
What signals does attack disruption rely on?
Correlated signals across endpoints, identities, emails and cloud apps
58
What do alert notification rules configure?
Severity, recipients, event typers for alert notification
59
What is EDR in block mode?
DFE capability that blocks malicious artifacts even when 3rd party AV in the primary solution
60
What is the action center used for?
Viewing, approving, undoing and tracking remediation actions
61
What are the AIR automation levels?
Full, semi, and disabled, determine now remediation actions execute (full is recommended)
62
When is semi-automation useful?
When analysts must approve remediation actions before execution
63
What is a device group?
Logical grouping of devices used to apply remediation levels, RBAC scopes, automation settings
64
What attributes define device group membership?
Device name, domain, os, device tags
65
What happens when a device matches no group?
Placed in ungrouped devices, which cannot be deleted or rank-changed
66
Why configure device groups before AIR?
Automation levels apply per group, ensuring correct remediation segmentation
67
What is device discovery?
Automated detection of unmanaged devices via network signals
68
What is defender vulnerability management used for?
Identifying and prioritizing remediation for vulnerabilities
69
What are the capabilities of Microsoft Defender for Endpoint?
Behavioral sensors, cloud security analytics, threat intelligence, threat vulnerability management, attack surface reduction next gen protection, endpoint detection and response, automated investigation and remediation, secure score, threat experts
70
How to set up an admin role?
Defender - permissions - roles - add role name and she necessary permissions
71
Onboarding devices
Defender - endpoints - onboarding (or automatically enroll through in tune if they have a license)
72
73
Device onboarding within DFE
Defender - settings - endpoints - advanced - Microsoftt in tune connection - then - in tune - set up - adjust DFE as needed
74
How to an make a new device group
Azure - Groups - New Group - (select type, name, membership type, add users THEN Defender - settings - endpoints - device groups - add device groups
75
What is Microsoft Defender Vulnerability Management?
Helps to identify devices at risk (Defender - endpoints 0 vulnerability management - Baseline assessment
76
What is Defender for cloud?
Holds DevSecOps (development security operations, provides security measures and practices, CSPM - cloud security posture management, CWP P - cloud workload protection platform
77
What are playbooks used for?
To automate and orchestrate - connectors can be used here (Like SNOW)
78
What does Sentinel use for storage
Log analytic workspaces
79
Security Reader (DFC)
View alerts and recommendations
80
security admin (DFC)
Edit, sign, dismiss, view
81
What is Cloud Workload protection and enable plans available fr? (CWPP)
Servers, storage, containers, API’s
82
What are alert policies used for?
Creating custom detections and alerts
83
What are custom network indicators?
Custom added URL's and domains to block
84
What's defender for servers?
Provides threat detection and advanced defense to windows and Linux machines ( azure, AWS, GCP jon-prem)
85
In what rules is entity mapping available in?
Scheduled and NRT
86
How are entities mapped and identified?
Created through entity mapping created in analytic rules
87
What is UEBA?
Behavioral analytics and entity classification
88
What are analyhc rules used for?
Detect threats and anomalies
89
Analytic run- scheduled query
Uses KQL to query in intervals
90
Analytic rules- fusion rule
Machine learning to correlate and merge low alerts into high
91
Analytic rule - ml behavior
Machine learning algorithm to identify behavior
92
Analytic rule- near-real-time
Detect threats and generate alerts rapidly
93
What are response automations?
Playbooks powered by azure Logic apps
94
Where to manage analytics rules
Defender, config, analytics
95
What is ASIM and what does it do?
Advanced security information model, converts unique telemetry data gathered by sentinel into user friendly data
96
What are time parsers?
Maintain data format but can slow down data
97
What is an attack story?
Gives an idea of what's happening in the environment
98
Where are unified audit logs found?
Microsoft 365, purview
99
Where is content search found?
Purview
100
What is graph activity logs?
Lets all resources connect, within entry ID, audit trail to and from azure
101
Where to implement DLP rules
Purview, solutions, data loss
102
Where to investigate insider risk policy alerts?
Purview, roles and scopes
103
What do automation rules do?
Automatic response to alerts, trigger actions, run playbooks, suppress noise, etc.
104
What are playbooks?
Automated workflows built by logic apps
105
When to use automation vs. Playbooks
When something should happen, performing actions and complex workflow
106
What's held in defender XDR? ((3)
Endpoint, identity, cloud apps
107
What type of device does device events not monitor?
Androids
108
How do you make queries run automatically?
Add query as favorite
109
Where can you export cloud data?
Event hub and log analytics
110
Entity mapping is a... Rule
Scheduled
111
What is a parser?
Tools or software that process or analyze data from logs to provide insight
112
What agent to install on VMs to monitor server in DFC
Azure connected machines agent
113
What can defender for cloud protect? (3)
VMs, storage accounts, app service web app
114
A... Machine is needed to collect logs in order to ingest syslog and CEF
Linux
115
What do you need to onboard an agent to sentinel?
Workspace ID and workspace secondary key
116
Where to review DLP rules? (2)
Purview and defender
117
What is live response for?
Remote connect for tests
118
Where to review DLP rules? (2)
Purview and defender
119
What do purview audit logs show?
User and app activity
120
Where do you configure security policies for DFC?
Azure
121
What should you configure to identify virtual machines are missing updates?
Data collection
122
What is required to create a sentinel workspace?
Azure subscription, extra tenant, log analytic workspace
123
What data sources support UEBA?
Azure activity and security events
124
What resources are protected in Microsoft defender for cloud?
Container and file share
