- (Topic 4)
You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom report that will visualise sign-in information over time.
What should you create first?

1. A. a workbook
2. B. a hunting query
3. C. a notebook
4. D. a playbook

Correct Answer: A
A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference: https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview

- (Topic 4)
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1. You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted. What should you review?

1. A. the Azure Storage Analytics logs
2. B. the activity logs of storage1
3. C. the alert details
4. D. the related entities of the alert

Correct Answer: B

- (Topic 4)
You have the following environment:
✑ Azure Sentinel
✑ A Microsoft 365 subscription
✑ Microsoft Defender for Identity
✑ An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

1. A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.
2. B. Modify the permissions of the Domain Controllers organizational unit (OU).
3. C. Configure auditing in the Microsoft 365 compliance center.
4. D. Configure Windows Event Forwarding on the domain controllers.

Correct Answer: AD
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection https://docs.microsoft.com/en-us/defender-for-identity/configure-event-collection

HOTSPOT - (Topic 3)
You need to implement the ASIM query for DNS requests. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Topic 4)
You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block a user-specified range of IP addresses and URLs.
What should you enable first in the advanced features from the Endpoints Settings in the Microsoft 365 Defender portal?

1. A. endpoint detection and response (EDR) in block mode
2. B. custom network indicators
3. C. web content filtering
4. D. Live response for servers

Correct Answer: A