Microsoft Sentinel

DRAG DROP You are investigating an incident by using Microsoft 365 Defender. You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Select and Place:

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365. You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters. You need to create a data loss prevention (DLP) policy to protect the sensitive documents. What should you use to detect which documents are sensitive?

HOTSPOT You have a Microsoft 365 E5 subscription. You plan to perform cross-domain investigations by using Microsoft 365 Defender. You need to create an advanced hunting query to identify devices affected by a malicious email attachment. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Create a detection rule. B.Create a suppression rule. C.Add | order by Timestamp to the query. D.Replace DeviceProcessEvents with DeviceNetworkEvents. E.Add DeviceId and ReportId to the output of the query.

HOTSPOT You are informed of an increase in malicious email being received by users. You need to create an advanced hunting query in Microsoft 365 Defender to identify whether the accounts of the email recipients were compromised. The query must return the most recent 20 sign-ins performed by the recipients within an hour of receiving the known malicious email. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel. You need to identify all the devices that contain files in emails sent by a known malicious email sender. The query will be based on the match of the SHA256 hash. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

You have a third-party security information and event management (SIEM) solution. You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure A

You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled. You need to identify all the changes made to sensitivity labels during the past seven days. What should you use? A.the Incidents blade of the Microsoft 365 Defender portal B.the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center C.Activity explorer in the Microsoft 365 compliance center D.the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You need to identify all the entities affected by an incident. Which tab should you use in the Microsoft 365 Defender portal? A.Investigations B.Devices C.Evidence and Response D.Alerts

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You plan to create a hunting query from Microsoft Defender. You need to create a custom tracked query that will be used to assess the threat status of the subscription. From the Microsoft 365 Defender portal, which page should you use to create the query? A.Threat analytics B.Advanced Hunting C.Explorer D.Policies & rules

HOTSPOT You have a Microsoft 365 E5 subscription. You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the following requirements: •Only show emails sent during the last hour. •Optimize query performance. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender. You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort. Which blade should you use in the Microsoft 365 Defender portal? A.Advanced hunting B.Threat analytics C.Incidents & alerts D.Learning hub

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365. Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure A

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365. Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure A

51 HOTSPOT You have a custom detection rule that includes the following KQL query. For each of the following statements, select Yes if True. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure A

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint. You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices. What should you use in the Microsoft 365 Defender portal? A.incidents B.Remediation C.Investigations D.Advanced hunting

You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams. You have a team named Team1 that has a project named Project1. You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023. Which KQL query should you run? A.(c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10)) B.AuditLogs | where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10)) | where FileName contains “Project1” C.Project1(c:c)(date=2023-02-01..2023-02-10) D.AuditLogs | where Timestamp > ago(10d) | where FileName contains “Project1”

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint. You need to create a detection rule that meets the following requirements: •Is triggered when a device that has critical software vulnerabilities was active during the last hour •Limits the number of duplicate results How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

DRAG DROP You plan to connect an external solution that will send Common Event Format (CEF) messages to Azure Sentinel. You need to deploy the log forwarder. Which three actions should you perform in sequence? To answer, move the appropriate actions form the list of actions to the answer area and arrange them in the correct order. Select and Place:

HOTSPOT From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:

DRAG DROP You have an Azure Sentinel deployment. You need to query for all suspicious credential access activities. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices. A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents. You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning. What should you include in the recommendation? A.built-in queries B.livestream C.notebooks D.bookmarks

You have a playbook in Azure Sentinel. When you trigger the playbook, it sends an email to a distribution group. You need to modify the playbook to send the email to the owner of the resource instead of the distribution group. What should you do? A.Add a parameter and modify the trigger. B.Add a custom data connector and modify the trigger. C.Add a condition and modify the action. D.Add an alert and modify the action.

You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector. While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query. By which two components can you group alerts into incidents? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A.user B.resource group C.IP address D.computer

Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure A

You have an Azure Sentinel workspace. You need to test a playbook manually in the Azure portal. From where can you run the test in Azure Sentinel? A.Playbooks B.Analytics C.Threat intelligence D.Incidents

You have a custom analytics rule to detect threats in Azure Sentinel. You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLE

You recently deployed Azure Sentinel. You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled. You need to ensure that the Fusion rule can generate alerts. What should you do? A.Disable, and then enable the rule. B.Add data connectors C.Create a new machine learning analytics rule. D.Add a hunting bookmark.

DRAG DROP Your company deploys Azure Sentinel. You plan to delegate the administration of Azure Sentinel to various groups. You need to delegate the following tasks: ✑ Create and run playbooks ✑ Create workbooks and analytic rules. The solution must use the principle of least privilege. Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:

A company uses Azure Sentinel. You need to create an automated threat response. What should you use? A.a data connector B.a playbook C.a workbook D.a Microsoft incident creation rule

HOTSPOT You use Azure Sentinel to monitor irregular Azure activity. You create custom analytics rules to detect threats as shown in the following exhibit. You do NOT define any incident settings as part of the rule definition. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point. Hot Area:

You have an Azure Sentinel deployment in the East US Azure region. You create a Log Analytics workspace named LogsWest in the West US Azure region. You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to LogsWest. What should you do first? A.Deploy Azure Data Catalog to the West US Azure region. B.Modify the workspace settings of the existing Azure Sentinel deployment. C.Add Azure Sentinel to a workspace. D.Create a data connector in Azure Sentinel.

You create a custom analytics rule to detect threats in Azure Sentinel. You discover that the rule fails intermittently. What are two possible causes of the failures? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.The rule query takes too long to run and times out. B.The target workspace was deleted. C.Permissions to the data sources of the rule query were modified. D.There are connectivity issues between the data sources and Log Analytics

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a scheduled query rule for a data connector. Does this meet the goal? A.Yes B.No

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a hunting bookmark. Does this meet the goal? A.Yes B.No

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a Microsoft incident creation rule for a data connector. Does this meet the goal? A.Yes B.No

You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure A

You are configuring Azure Sentinel. You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected. Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Add a playbook. B.Associate a playbook to an incident. C.Enable Entity behavior analytics. D.Create a workbook. E.Enable the Fusion rule.

You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC). What should you use? A.notebooks in Azure Sentinel B.Microsoft Cloud App Security C.Azure Monitor D.hunting queries in Azure Sentinel

You use Azure Sentinel. You need to receive an alert in near real-time whenever Azure Storage account keys are enumerated. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Create a livestream B.Add a data connector C.Create an analytics rule D.Create a hunting query. E.Create a bookmark.

HOTSPOT You deploy Azure Sentinel. You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The solution must minimize administrative effort. Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

You are investigating an incident in Azure Sentinel that contains more than 127 alerts. You discover eight alerts in the incident that require further investigation. You need to escalate the alerts to another Azure Sentinel administrator. What should you do to provide the alerts to the administrator? A.Create a Microsoft incident creation rule B.Share the incident URL C.Create a scheduled query rule D.Assign the incident

You are configuring Azure Sentinel. You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel. Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Enable Entity behavior analytics. B.Associate a playbook to the analytics rule that triggered the incident. C.Enable the Fusion rule. D.Add a playbook. E.Create a workbook.

DRAG DROP You need to use an Azure Sentinel analytics rule to search for specific criteria in Amazon Web Services (AWS) logs and to generate incidents. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

You have the following environment: Azure Sentinel ✑ A Microsoft 365 subscription ✑ Microsoft Defender for Identity ✑ An Azure Active Directory (Azure A

You create a hunting query in Azure Sentinel. You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort. What should you use? A.a playbook B.a notebook C.a livestream D.a bookmark

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a livestream from a query. Does this meet the goal? A.Yes B.No

HOTSPOT You need to create a query for a workbook. The query must meet the following requirements: ✑ List all incidents by incident number. ✑ Only include the most recent log for each incident. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

You have an Azure subscription that uses Microsoft Sentinel. You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel. Which two features should you use? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Microsoft Sentinel bookmarks B.Azure Automation runbooks C.Microsoft Sentinel automation rules D.Microsoft Sentinel playbooks E.Azure Functions apps

You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries. You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort. What should you use to create the visuals? A.plotly B.TensorFlow C.msticpy D.matplotlib

HOTSPOT You have a Microsoft Sentinel workspace named sws1. You need to create a hunting query to identify users that list storage keys of multiple Azure Storage accounts. The solution must exclude users that list storage keys for a single storage account. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

DRAG DROP You have a Microsoft Sentinel workspace named workspace1 and an Azure virtual machine named VM1. You receive an alert for suspicious use of PowerShell on VM1. You need to investigate the incident, identify which event triggered the alert, and identify whether the following actions occurred on VM1 after the alert: The modification of local group memberships ✑ The purging of event logs Which three actions should you perform in sequence in the Azure portal? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

You have a Microsoft Sentinel workspace that contains the following incident. Brute force attack against Azure Portal analytics rule has been triggered. You need to identify the geolocation information that corresponds to the incident. What should you do? A.From Overview, review the Potential malicious events map. B.From Incidents, review the details of the IPCustomEntity entity associated with the incident. C.From Incidents, review the details of the AccountCustomEntity entity associated with the incident. D.From Investigation, review insights on the incident entity.

You have a Microsoft Sentinel workspace. You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities. The solution must minimize administrative effort. Which rule type should you query? A.Fusion B.Microsoft Security C.ML Behavior Analytics D.Scheduled

You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines. You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements: ✑ Minimize administrative effort. ✑ Minimize the parsing required to read fog data. What should you configure? A.a Log Analytics Data Collector API B.REST API integration C.a Common Evert Format (CEF) connector D.a Syslog connector

DRAG DROP You have an Azure subscription that contains 100 Linux virtual machines. You need to configure Microsoft Sentinel to collect event logs from the virtual machines. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

You have an Azure subscription that uses Microsoft Sentinel. You detect a new threat by using a hunting query. You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must minimize administrative effort. What should you do? A.Create an analytics rule. B.Add the query to a workbook. C.Create a watchlist. D.Create a playbook.

You have a Microsoft Sentinel workspace. You have a query named Query1 as shown in the following exhibit. You plan to create a custom parser named Parser1. You need to use Query1 in Parser1. What should you do first? A.Remove line 5. B.Remove line 2. C.In line 3, replace the !contains operator with the !has operator. D.In line 4, remove the TimeGenerated predicate.

You have an Azure subscription that uses Microsoft Sentinel. You need to create a custom report that will visualise sign-in information over time. What should you create first? A.a hunting query B.a workbook C.a notebook D.a playbook

You have a Microsoft Sentinel workspace. You receive multiple alerts for failed sign-in attempts to an account. You identify that the alerts are false positives. You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements: • Ensure that failed sign-in alerts are generated for other accounts. • Minimize administrative effort What should do? A.Modify the analytics rule. B.Create a watchlist. C.Add an activity template to the entity behavior. D.Create an automation rule.

HOTSPOT You have a Microsoft 365 E5 subscription that contains two users named User1 and User2. You have the hunting query shown in the following exhibit. The users perform the following actions: • User1 assigns User2 the Global administrator role. • User1 creates a new user named User3 and assigns the user a Microsoft Teams license. • User2 creates a new user named User4 and assigns the user the Security reader role. • User2 creates a new user named User5 and assigns the user the Security operator role. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have the following KQL query. For each of the following statements, select Yes if the statement is true. Otherwise. select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace. You develop a custom Advanced Security Information Model (ASIM) parser named Parser1 that produces a schema named Schema1. You need to validate Schema1. How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEB

HOTSPOT You have a Microsoft Sentinel workspace. You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have an Azure subscription. You plan to implement a Microsoft Sentinel workspace. You anticipate that you will ingest 20 GB of security log data per day. You need to configure storage for the workspace. The solution must meet the following requirements: • Minimize costs for daily ingested data. • Maximize the data retention period without incurring extra costs. What should you do for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace. You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically. What are two ways to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A.Create a hunting query that references the built-in parser. B.Build a custom unifying parser and include the built-in parser version. C.Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any. D.Redeploy the built-in parser and specify a CallerContext parameter of Built-in. E.Create an analytics rule that includes the built-in parser.

You have a custom Microsoft Sentinel workbook named Workbook1. You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows. What should you do? A.In the grid query, include the take operator. B.In the grid query, include the project operator. C.In the query editor interface, configure Settings. D.In the query editor interface, select Advanced Editor.

You have a Microsoft Sentinel workspace named Workspace1. You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser. What should you create in Workspace1? A.an analytic rule B.a watchlist C.a workbook D.a hunting query

HOTSPOT You have a Microsoft Sentinel workspace named Workspace1. You configure Workspace1 to collect DNS events and deploy the Advanced Security Information Model (ASIM) unifying parser for the DNS schema. You need to query the ASIM DNS schema to list all the DNS events from the last 24 hours that have a response code of ‘NXDOMAIN’ and were aggregated by the source IP address in 15-minute intervals. The solution must maximize query performance. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT - Your on-premises network contains 100 servers that run Windows Server. You have an Azure subscription that uses Microsoft Sentinel. You need to upload custom logs from the on-premises servers to Microsoft Sentinel. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema. You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort. What should you do first? A.Copy the parsers to the Azure Monitor Logs page. B.Create a JSON file based on the DNS template. C.Create an XML file based on the DNS template. D.Create a YAML file based on the DNS template.

HOTSPOT You have a Microsoft Sentinel workspace. A Microsoft Sentinel incident is generated as shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace named sws1. You need to create a query that will detect when a user creates an unusually large numbers of Azure AD user accounts. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector. You need to create a new near-real-time (NRT) analytics rule that will use the playbook. What should you configure for the rule? A.the incident automation settings B.the query rule C.entity mapping D.the Alert automation settings

DRAG DROP You have a Microsoft Sentinel workspace that contains an Azure AD data connector. You need to associate a bookmark with an Azure AD-related incident. What should you do? To answer, drag the appropriate blades to the correct tasks. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

HOTSPOT You have an Azure subscription that contains a guest user named User1 and a Microsoft Sentinel workspace named workspace1. You need to ensure that User1 can triage Microsoft Sentinel incidents in workspace1. The solution must use the principle of least privilege. Which roles should you assign to User1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have an Azure subscription that uses Microsoft Sentinel and contains a user named User1. You need to ensure that User1 can enable User and Entity Behavior Analytics (UEB

HOTSPOT You have an Azure subscription that contains the following resources: •A virtual machine named VM1 that runs Windows Server •A Microsoft Sentinel workspace named Sentinel1 that has User and Entity Behavior Analytics (UEB

DRAG DROP Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. You have a Microsoft Sentinel workspace named Sentinel1. You need to enable User and Entity Behavior Analytics (UEB

You have a Microsoft Sentinel workspace. You enable User and Entity Behavior Analytics (UEB

HOTSPOT You have an Azure subscription that contains a Microsoft Sentinel workspace. You need to create a hunting query using Kusto Query Language (KQL) that meets the following requirements: •Identifies an anomalous number of changes to the rules of a network security group (NSG) made by the same security principal. •Automatically associates the security principal with a Microsoft Sentinel entity. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace. You need to configure a report visual for a custom workbook. The solution must meet the following requirements: •The count and usage trend of AppDisplayName must be included. •The TrendList column must be useable in a sparkline visual. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

DRAG DROP You have an Azure subscription that contains two users named User1 and User2 and a Microsoft Sentinel workspace named workspace1. You need to ensure that the users can perform the following tasks in workspace1: •User1 must be able to dismiss incidents and assign incidents to users. •User2 must be able to modify analytics rules. The solution must use the principle of least privilege. Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace. You investigate an incident that has the following entities: •A user account named User1 •An IP address of 192.168.10.200 •An Azure virtual machine named VM1 •An on-premises server named Server1 You need to label an entity as an indicator of compromise (Io

You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEB

HOTSPOT You have an Azure subscription that is linked to a hybrid Azure AD tenant and contains a Microsoft Sentinel workspace named Sentinel1. You need to enable User and Entity Behavior Analytics (UEB

HOTSPOT You have four Azure subscriptions. One of the subscriptions contains a Microsoft Sentinel workspace. You need to deploy Microsoft Sentinel data connectors to collect data from the subscriptions by using Azure Policy. The solution must ensure that the policy will apply to new and existing resources in the subscriptions. Which type of connectors should you provision, and what should you use to ensure that all the resources are monitored? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have 50 Microsoft Sentinel workspaces. You need to view all the incidents from all the workspaces on a single page in the Azure portal. The solution must minimize administrative effort. Which page should you use in the Azure portal? A.Microsoft Sentinel - Incidents B.Microsoft Sentinel - Workbooks C.Microsoft Sentinel D.Log Analytics workspaces

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1. From Content Hub, you deploy the Microsoft Entra solution for Microsoft Sentinel and configure a connector. You need to analyze actions performed by users that have administrative privileges to the subscription. Which workbook should you use? A.Azure Activity B.Microsoft Entra Audit logs C.Microsoft Entra Sign-ins logs D.Identity & Access

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1 and a user named User1. You need to ensure that User1 can investigate incidents by using Workspace1. The solution must follow the principle of least privilege. Which role should you assign to User1? A.Microsoft Sentinel Responder B.Microsoft Sentinel Contributor C.Microsoft Sentinel Automation Contributor D.Microsoft Sentinel Reader

HOTSPOT You have an Azure subscription that contains a Log Analytics workspace named Workspace1. You configure Azure activity logs and Microsoft Entra ID logs to be forwarded to Workspace1. You need to query Workspace1 to identify all the requests that failed due to insufficient authorization. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You are investigating an incident. You need to review the incident tasks that were performed. The solution must include a query that will display the incidents in a workbook, and then display the tasks of each incident in another grid. Which table should you target in the query? A.SecurityIncident B.SecurityEvent C.SentinelAudit D.SecurityAlert

HOTSPOT You have a Microsoft Sentinel workspace that has a default data retention period of 30 days. The workspace contains two custom tables as shown in the following table. Each table ingested two records per day during the past 365 days. You build KQL statements for use in analytic rules as shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint. You have the on-premises devices shown in the following table. You are preparing an incident response plan for devices infected by malware. You need to recommend response actions that meet the following requirements: •Block malware from communicating with and infecting managed devices. •Do NOT affect the ability to control managed devices. Which actions should you use for each device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1. You need to create a visual based on the SecurityEvent table. The solution must meet the following requirements: •Identify the number of security events ingested during the past week. •Display the count of events by day in a timechart. What should you add to Workbook1? A.a query B.a metric C.a group D.links or tabs

You have an Azure subscription. You need to stream the Microsoft Graph activity logs to a third-party security information and event management (SIEM) tool. The solution must minimize administrative effort. To where should you stream the logs? A.an Azure Event Hubs namespace B.an Azure Storage account C.an Azure Event Grid namespace D.a Log Analytics workspace

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices. As part of an incident investigation, you identify the following suspected malware files: •sys •pdf •docx •xlsx You need to create indicator hashes to block users from downloading the files to the devices. Which files can you block by using the indicator hashes? A.File1.sys only B.File1.sys and File3.docx only C.File1.sys, File3.docx, and File4.xlsx only D.File2.pdf, File3.docx, and File4.xlsx only E.File1.sys, File2.pdf, File3.docx, and File4.xlsx

HOTSPOT You have an Azure subscription named Sub1. Sub1 contains a Microsoft Sentinel workspace named SW1 and a virtual machine named VM1 that runs Windows Server. SW1 collects security logs from VM1 by using the Windows Security Events via AMA connector. You need to limit the scope of events collected from VM1. The solution must ensure that only audit failure events are collected. How should you complete the filter expression for the connector? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace. You need to create a KQL query that will combine data from the following sources: •Microsoft Graph •Risky users detected by using Microsoft Entra ID Protection The solution must minimize the volume of data returned. How should the query start?

You have a Microsoft 365 E5 subscription that contains two groups named Group1 and Group2 and uses Microsoft Copilot for Security. You need to configure Copilot for Security role assignments to meet the following requirements: •Ensure that members of Group1 can run prompts and respond to Microsoft Defender XDR security incidents. •Ensure that members of Group2 can run prompts. •Follow the principle of least privilege. You remove Everyone from the Copilot Contributor role. Which two actions should you perform next? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Assign the Security Operator role to Group1. B.Assign the Copilot Owner role to Group2. C.Assign the Copilot Owner role to Group1 D.Assign the Security Operator role to Group2. E.Assign the Copilot Contributor role to Group2.

HOTSPOT You have an on-premises Linux server that runs a background process named App1 and has the Azure Connected Machine agent installed. You have a Microsoft Sentinel workspace named WS1. You need to configure a data collection rule (DCR) named DCR1 that will use the Syslog via AMA connector to collect messages related to App1. The solution must meet the following requirements: •Only collect messages that have a priority level of critical. •Minimize the volume of data collected. Which facility and log level should you configure for DCR1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT Your on-premises network contains a Hyper-V cluster. The cluster contains the virtual machines shown in the following table. You have a Microsoft Sentinel workspace named SW1. You have a data collection rule (DCR) that has the following configurations: •Name: DCR1 •Destination: SW1 •Platform type: All •Data collection endpoint: None •Data source: Windows event logs, Linux syslog For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace. You need to create playbooks that meet the following requirements: •Use an automation rule to trigger actions on an entity. •Call the Entities - Get Hosts action. Which types of playbooks should you use, and which parameters should you specify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Contoso.com contains a user named User1. Sub1 contains a Microsoft Sentinel workspace. You provision a Microsoft Copilot for Security capacity. You need to ensure that User1 can use Copilot for Security to perform the following tasks: •Update the data sharing and feedback options. •Investigate Microsoft Sentinel incidents. The solution must follow the principle of least privilege. Which role should you assign to User1 for each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace named Workspace1. The AzureActivity table in Workspace1 has the following retention periods: •Interactive: 180 days •Total: 180 days You need to modify the retention periods to meet the following requirements: •Minimize the costs associated with storing data in the table. •Maximize the period during which the table data remains available. How should you configure each retention period? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that contains a device named Device1. Device1 is enrolled in Microsoft Defender for Endpoint. Device1 reports an incident that includes a file named File1.exe as evidence. You initiate the Collect Investigation Package action and download the ZIP file. You need to identify the first and last time File1.exe was executed. What should you review in the investigation package? A.Processes B.Autoruns C.Security event log D.Scheduled tasks E.Prefetch files

DRAG DROP You have a Microsoft Sentinel workspace that contains the following Advanced Security Information Model (ASIM) parsers: •_Im_ProcessCreate •imProcessCreate You create a new source-specific parser named vimProcessCreate. You need to modify the parsers to meet the following requirements: •Call all the ProcessCreate parsers. •Standardize fields to the Process schema. Which parser should you modify to meet each requirement? To answer, drag the appropriate parsers to the correct requirements. Each parser may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

HOTSPOT You have on-premises servers that run Windows Server. You have a Microsoft Sentinel workspace named SW1. SW1 is configured to collect Windows Security log entries from the servers by using the Azure Monitor Agent data connector. You plan to limit the scope of collected events to events 4624 and 4625 only. You need to use a PowerShell script to validate the syntax of the filter applied to the connector. How should you complete the script? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace named SW1. You need to identify which anomaly rules are enabled in SW1. What should you review in Microsoft Sentinel? A.Content hub B.Entity behavior C.Analytics D.Settings

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database. You need to ensure that an incident is created in WS1 when the new attack vector is detected. What should you configure? A.a hunting livestream session B.a query bookmark C.a scheduled query rule D.a Fusion rule

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You have a Microsoft Sentinel workspace. Microsoft Sentinel connectors are configured as shown in the following table. You use Microsoft Sentinel to investigate suspicious Microsoft Graph API activity related to Conditional Access policies. You need to search for the following activities: •Downloads of the Conditional Access policies by using PowerShell •Updates to the Conditional Access policies by using the Microsoft Entra admin center Which tables should you query for each activity? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription. You have the following KQL query. You need to use the query to create a Microsoft Defender XDR custom detection rule that can isolate an onboarded device. How should you modify the query? A.Add the AccountUpn and Timestamp columns to the project operator. B.Add a distinct operator. C.Add a summarize operator. D.Add the DeviceId and Timestamp columns to the project operator.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You have a custom detection rule named Rule1 that generates an alert if more than five antivirus detections are identified on a device. Rule1 has a lookback period of 12 hours. You need to change the lookback period to 48 hours. What should you modify for Rule1? A.the scope B.the summarize operator of the KQL query C.the frequency D.the where operator of the KQL query

DRAG DROP You have a Microsoft 365 subscription. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint. You need to perform the following actions in Microsoft Defender XDR: •For your company’s finance department, populate random endpoints with fake cached credentials. •Ensure that an incident is created in Microsoft Defender XDR if an attacker attempts to use the fake cached credentials. The solution must ensure that the fake cached credentials are planted only on endpoints of the finance department. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

You have an Azure subscription that uses Microsoft Sentinel. You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel. Which two features should you use? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Microsoft Sentinel workbooks B.Azure Automation runbooks C.Microsoft Sentinel automation rules D.Microsoft Sentinel playbooks E.Azure Functions apps

You have an on-premises network. You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity. From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert. Suspected identity theft (pass-the-ticket) (external ID 2018) You need to contain the incident without affecting users and devices. The solution must minimize administrative effort. What should you do? A.Disable User1 only. B.Quarantine Device1 only. C.Reset the password for all the accounts that previously signed in to Device1. D.Disable User1 and quarantine Device1. E.Disable User1, quarantine Device1, and reset the password for all the accounts that previously signed in to Device1.

HOTSPOT You have an Azure subscription that contains a Log Analytics workspace named Workspace1. You configure Azure activity logs and Microsoft Entra ID logs to be forwarded to Workspace1. You need to identify which Azure resources have been queried or modified by risky users. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription. Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint. You have an incident involving a user that received malware-infected email messages on a managed device. Which action requires manual remediation of the incident? A.soft deleting the email message B.hard deleting the email message C.isolating the device D.containing the device

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to identify all the entities affected by an incident. Which tab should you use in the Microsoft Defender portal? A.Investigations B.Assets C.Evidence and Response D.Alerts

You have a Microsoft Sentinel workspace named SW1. In SW1, you investigate an incident that is associated with the following entities: •Host •IP address •User account •Malware name Which entity can be labeled as an indicator of compromise (Io

HOTSPOT You have a Microsoft Sentinel workspace. You need to configure the Fusion analytics rule to temporarily suppress incidents generated by a Microsoft Defender connector. The solution must meet the following requirements: •Minimize impact on the ability to detect multistage attacks. •Minimize administrative effort. How should you configure the rule? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace. You are investigating an incident that involves multiple alerts, events, and entities. You need to create a bookmark for the investigation. The solution must minimize administrative effort. Which settings should you use? A.Incidents B.Hunting C.Content hub D.Logs

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1. What should you do? A.Run an advanced hunting query against the DeviceProcessEvents table. B.Run an advanced hunting query against the DeviceTvmSoftwareInventory table. C.Initiate an automated investigation and view the results in the Action center. D.Initiate a live response session and run the processes command.

You have a Microsoft 365 E5 subscription that contains a user named User1. The subscription uses Microsoft 365 Copilot for Security. Copilot for Security uses the Sentinel plugin. User1 is assigned the Copilot Contributor role. During an investigation, User1 submits a prompt and receives a notification that Copilot for Security cannot respond to requests because the security compute unit (SCU) usage is nearing the provisioned capacity limit. You need to ensure that User1 can use Copilot for Security to generate a successful response. What should User1 do? A.Wait one hour and resubmit the prompt. B.Update the provisioned SCUs. C.Run the Microsoft Sentinel Optimization Workbook. D.Open a second Copilot for Security session and submit the prompt.

You have a Microsoft Sentinel workspace. You are investigating an incident that involves the following entities: •A host named Host1 •A user account named User1 •An IP address of 175.45.176.99 You need to update the threat intelligence list to include the entities. Which entities can you add on the Incident page? A.175.45.176.99 only B.Host1 only C.User1 only D.175.45.176.99 and Host1 only E.Host1 and User1 only F.175.45.176.99, Host1, and User1

You have a Microsoft 365 subscription that uses Microsoft Copilot for Security. You create a promptbook named Book1. For Book1, you need to create a prompt that contains an input named IncidentI

HOTSPOT You have an Azure subscription named Sub1 that contains the resources shown in the following table. You plan to configure Rule1 to trigger Lapp1 when an incident is generated. You need to recommend the role-based access control (RBA

HOTSPOT You have an Azure subscription name Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Sub1 contains a Log Analytics workspace named Workspace1. All the logs from contoso.com are streamed to Workspace1. You have a Microsoft 365 E5 subscription. You need to query Workspace1 for the following: •HTTP requests to the Microsoft Graph service of contoso.com •Third-party app sign-in activities that use certificates or secrets How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1. What should you do? A.Initiate a live response session and run the processes command. B.Initiate an automated investigation and view the results in the Action center. C.Initiate a live response session and run the analyze command. D.Run an advanced hunting query against the DeviceTvmSoftwareInventory table.

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1. What should you do? A.Collect an investigation package and download the results from the Action center. B.Initiate a live response session and run the analyze command. C.Run an advanced hunting query against the DeviceProcessEvents table. D.Run an advanced hunting query against the DeviceTvmInfoGathering table.

HOTSPOT You have a Microsoft 365 E5 subscription that is linked to a Microsoft Entra tenant named contoso.com. You need to query Microsoft Graph activity logs to identify changes to the roles in contoso.com. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point

DRAG DROP You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You have an Azure subscription that uses Microsoft Security Copilot. You need to create a custom promptbook in Security Copilot that will gather the following information about an incident ID: •An incident summary •Threat intelligence on the identified threat actors •A detailed analysis of the users affected by the incident •A detailed analysis of the devices affected by the incident Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

You have a Microsoft 365 subscription. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint. You have 500 devices that run Linux. Users sign in to the Windows and Linux devices by using their Microsoft Entra credentials. You need to recommend a response process for Microsoft Defender XDR security incidents associated with a compromised Linux endpoint. The solution must ensure that the compromised device is prevented from communicating with all devices onboarded to Defender for Endpoint. Which response action should you include in the recommendation?

DRAG DROP You have a Microsoft Sentinel workspace named SW1. In SW1, you enable User and Entity Behavior Analytics (UEBA). You need to use KQL to perform the following tasks: •View the entity data that has fields for each type of entity. •Assess the quality of rules by analyzing how well a rule performs. Which table should you use in KQL for each task? To answer, drag the appropriate tables to the correct tasks. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Your on-premises network contains an Active Directory Domain Services (AD DS) forest. You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant. You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers. Which table should you query? A.AADServicePrincipalRiskEvents B.AADDomainServicesAccountLogon C.SigninLogs D.IdentityLogonEvents

HOTSPOT You have a Microsoft 365 subscription. You need to identify all the security principals that submitted requests to change or delete groups. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace. You plan to visualize data from Microsoft SharePoint Online and OneDrive sites. You need to create a KQL query for the visual. The solution must meet the following requirements: •Select all workloads as a single operation. •Include two parameters named Operations and Users. •In the results, exclude empty values for the site URLs. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace that contains a custom workbook. You need to query for a summary of security events. The solution must meet the following requirements: •Identify the number of security events ingested during the past week. •Display the count of events by day in a chart. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1. You need to create a visual in Workbook1 that will display the logon count for accounts that have logon event IDs of 4624 and 4634. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint. You enable Network device discovery. You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device. Which built-in function should you use? A.SeenBy() B.DeviceFromIP() C.next() D.current_cluster_endpoint()

You have an Azure subscription that contains a resource group named RG1. RG1 contains a Microsoft Sentinel workspace. The subscription is linked to a Microsoft Entra tenant that contains a user named User1. You need to ensure that User1 can deploy and customize Microsoft Sentinel workbook templates. The solution must follow the principle of least privilege. Which role should you assign to User1 for RG1? A.Microsoft Sentinel Contributor B.Workbook Contributor C.Microsoft Sentinel Automation Contributor D.Contributor

HOTSPOT You need to build a KQL query in a Microsoft Sentinel workspace. The query must return the SecurityEvent record for accounts that have the last record with an EventID value of 4624. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. WS1 has the Azure Activity connector and the Microsoft Entra ID connector configured. You need to investigate which accounts have the most alerts and any corresponding incident information for each alert. The solution must minimize administrative effort. What should you do first in WS1? A.Use User and Entity Behavior Analytics (UEB

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You plan to run the following code to create a custom Copilot for Security plugin. You need to specify a format and complete the code segment. Which format should you use for the variable? A.API B.GPT C.KQL D.SQL

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You are investigating an incident. You need to review the incident tasks that were performed. What can you use on the Incident page? A.Tasks only B.Tasks and Activity log only C.Tasks and Alert timeline only D.Tasks, Activity log, and Alert timeline

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have a Copilot for Security workspace that uses the following plugins: •Microsoft Entra •Microsoft Defender XDR From the Microsoft Defender portal, you use Copilot for Security to investigate a reported incident. You need to run a promptbook that will include information from Microsoft Entra ID Protection in the investigation. What should you do first? A.From the Microsoft Defender portal, create an incident report. B.Open the investigation in the Copilot for Security standalone experience. C.Open the investigation in Microsoft Sentinel. D.From the Microsoft Defender portal, create an advanced hunting query.

Your on-premises network contains two Active Directory Domain Services (AD DS) domains named contoso.com and fabrikam.com. Contoso.com contains a group named Group1. Fabrikam.com contains a group named Group2. You have a Microsoft Sentinel workspace named WS1 that contains a scheduled query rule named Rule1. Rule1 generates alerts in response to anomalous AD DS security events. Each alert creates an incident. You need to implement an incident triage solution that meets the following requirements: •Security incidents from contoso.com must be assigned to Group1. •Security incidents from fabrikam.com must be assigned to Group2. •Administrative effort must be minimized. What should you include in the solution? A.a playbook that is triggered by the creation of an incident B.a playbook that is triggered by the creation of an alert C.one automation rule assigned to Rule1 D.two automation rules assigned to Rule1

You have a Microsoft 365 subscription. You have the following KQL query. You need to ensure that you can create a Microsoft Defender XDR custom detection rule by using the query. What should you add to the query? A.| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId B.| summarize (ReportId)=make_set(ReportId), count() by DeviceId C.| summarize (Timestamp, DeviceName)=arg_min(Timestamp, DeviceName), count() by DeviceId D.| summarize (Timestamp)=range(Timestamp), count() by DeviceId

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365. You need to build a hunting query that will list events involving potentially malicious emails that were detected but NOT removed successfully from mailboxes after delivery. The solution must ensure that the events are correlated with the sign-in events of the email recipients. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You discover a malicious process that was initiated by a file named File1.exe on a device named Device1. You need to create a KQL query that will identify when File1.exe was created. The solution must meet the following requirements: •Return the FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine columns. •Minimize the volume of data returned. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

DRAG DROP - You have an Azure subscription that contains a Microsoft Sentinel workspace. You need to create and customize a workbook for the Microsoft Entra ID Audit Logs. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

HOTSPOT You have an Azure subscription named Sub1 that contains a Microsoft Sentinel workspace named WS1. You need to create a hunting query in WS1 that meets the following requirements: •Returns the number of changes performed daily by each Microsoft Entra security principal during a seven-day period •Identifies all the successful changes to the resources in Sub1 •Substitutes any missing data points with 0 How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workbook that contains the following KQL query. You need to create a visual that will change the color of the errCount column based on the value returned. How should you configure the visual? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint. You discover unauthorized changes to the membership of the Administrators group for the devices. You need to configure a solution that meets the following requirements: •Every hour, check the Administrators group membership of each endpoint. •When a change to the Administrators group membership is detected, create an incident in Microsoft Defender XDR. What should you create first? A.a device group B.an advanced hunting query C.an alert tuning rule D.a detection rule

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant. You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace named Workspace1. You need to create a custom workbook in Workspace1. Workspace1 must display a time chart that shows failed Microsoft Entra sign-ins from the past seven days. The solution must ensure that the chart includes a count of failed sign-ins for each day. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You have an Azure subscription that contains a Log Analytics workspace named Workspace1. You forward all logs to Workspace1. You need to identify all the applications and security principals that made requests to modify Microsoft Entra groups during the previous 24 hours. How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR, Microsoft Purview, and Exchange Online. You have a partner company named Contoso, Ltd. You need to review all the emails that contain PDF attachments and were received from Contoso during the past month. The solution must minimize administrative effort. What should you use? A.Content search B.Content explorer C.Activity explorer D.Advanced Hunting

You have an Azure subscription that uses Microsoft Sentinel. You need to create a custom workbook that will calculate the average time it takes to close security incidents. The solution must minimize administrative effort. Which built-in Microsoft Sentinel workbook template should you select? A.Security operations efficiency B.Incident Overview C.Workspace Usage Report D.Investigation Insights

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You need to create a hunting query in KQL that meets the following requirements: •Identifies any devices that received an email containing an attachment named File1.pdf during the last 12 hours and opened the attachment. •Minimizes the resources required to run the query How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft Sentinel workspace. You have a KQL query. The query returns Microsoft Sentinel incidents that are stored in the SecurityIncident table and occurred during the last 90 days. You need to create a Microsoft Sentinel workbook that will include a visualization of the query. To what should you set Data source and Resource type for the workbook? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. All endpoint devices are onboarded to Microsoft Defender for Endpoint. You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1. All Microsoft Defender XDR events are ingested into Workspace1. You have a Microsoft Entra tenant. You create a KQL query named query1 that searches device logs for a known vulnerability. You need to ensure that query1 runs every hour. The solution must minimize administrative effort. What should you configure?

HOTSPOT You need to create an advanced hunting query to investigate the executive team issue. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

HOTSPOT You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements. What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

DRAG DROP You need to add notes to the events to meet the Azure Sentinel requirements. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order. Select and Place:

HOTSPOT You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

You need to assign a role-based access control (RBA

Which rule setting should you configure to meet the Azure Sentinel requirements? A.From Set rule logic, turn off suppression. B.From Analytics rule details, configure the tactics. C.From Set rule logic, map the entities. D.From Analytics rule details, configure the severity.

HOTSPOT You need to create the analytics rule to meet the Azure Sentinel requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: