Topic 3: Misc. Questions
You have a suppression rule in Azure Security Center for 10 virtual machines that are used
for testing. The virtual machines run Windows Server.
You are troubleshooting an issue on the virtual machines.
In Security Center, you need to view the alerts generated by the virtual machines during
the last five days.
What should you do?
A.
Change the rule expiration date of the suppression rule.
B.
Change the state of the suppression rule to Disabled.
C.
Modify the filter for the Security alerts page.
D.
View the Windows event logs on the virtual machines.
Change the state of the suppression rule to Disabled.
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is
linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate
an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365
subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious signins
to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A.
Create custom rule based on the Office 365 connector templates.
B.
Create a Microsoft incident creation rule based on Azure Security Center.
C.
Create a Microsoft Cloud App Security connector.
D.
Create an Azure AD Identity Protection connector.
Create custom rule based on the Office 365 connector templates.
Create an Azure AD Identity Protection connector.
Explanation: To use the Fusion rule to detect multi-staged attacks that include suspicious
sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity, you should
perform the following two actions:
Create an Azure AD Identity Protection connector. This will allow you to monitor
suspicious activities in your Azure AD tenant and detect malicious sign-ins.
Create a custom rule based on the Office 365 connector templates. This will allow
you to monitor and detect anomalous activities in the Microsoft 365 subscription.
Reference: https://docs.microsoft.com/en-us/azure/sentinel/fusion-rules
You have the following environment:
Azure Sentinel
A Microsoft 365 subscription
Microsoft Defender for Identity
An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member
servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active
Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
Configure the Advanced Audit Policy Configuration settings for the domain controllers.
B.
Modify the permissions of the Domain Controllers organizational unit (OU).
C.
Configure auditing in the Microsoft 365 compliance center.
D.
Configure Windows Event Forwarding on the domain controllers.
Configure the Advanced Audit Policy Configuration settings for the domain controllers.
Configure Windows Event Forwarding on the domain controllers.
You implement Safe Attachments policies in Microsoft Defender for Office 365.
Users report that email messages containing attachments take longer than expected to be
received.
You need to reduce the amount of time it takes to deliver messages that contain
attachments without compromising security. The attachments must be scanned for
malware, and any messages that contain malware must be blocked.
What should you configure in the Safe Attachments policies?
A.
Dynamic Delivery
B.
Replace
C.
Block and Enable redirect
D.
Monitor and Enable redirect
Dynamic Delivery
You have a playbook in Azure Sentinel.
When you trigger the playbook, it sends an email to a distribution group.
You need to modify the playbook to send the email to the owner of the resource instead of
the distribution group.
What should you do?
A.
Add a parameter and modify the trigger.
B.
Add a custom data connector and modify the trigger.
C.
Add a condition and modify the action.
D.
Add a parameter and modify the action.
Add a parameter and modify the action.
You have a Microsoft Sentinel workspace named Workspaces
You need to exclude a built-in. source-specific Advanced Security Information Model
(ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?
A.
a workbook
B.
a hunting query
C.
a watchlist
D.
an analytic rule
an analytic rule
Explanation:
To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser
from a built-in unified ASIM parser, you should create an analytic rule in the Microsoft
Sentinel workspace. An analytic rule allows you to customize the behavior of the unified
ASIM parser and exclude specific source-specific parsers from being used.
Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-analytic-rule
You are investigating a potential attack that deploys a new ransomware strain.
You plan to perform automated actions on a group of highly valuable machines that contain
sensitive information.
You have three custom device groups.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the
solution. NOTE: Each correct selection is worth one point.
A.
Add a tag to the device group.
B.
Add the device users to the admin role.
C.
Add a tag to the machines.
D.
Create a new device group that has a rank of 1.
E.
Create a new admin role.
F.
Create a new device group that has a rank of 4.
Add a tag to the device group.
Add a tag to the machines.
Create a new device group that has a rank of 1.
You have an existing Azure logic app that is used to block Azure Active Directory (Azure
AD) users. The logic app is triggered manually.
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel. What should you
do first?
A.
And a new scheduled query rule.
B.
Add a data connector to Azure Sentinel
C.
Configure a custom Threat Intelligence connector in Azure Sentinel
D.
Modify the trigger in the logic app.
Modify the trigger in the logic app.
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A.
Investigations
B.
Devices
C.
Evidence and Response
D.
Alerts
Evidence and Response
Explanation:
The Evidence and Response tab shows all the supported events and suspicious entities in
the alerts in the incident.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigateincidents
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to ensure that Security Center processes events from the Azure virtual machines
that report to workspace1.
What should you do?
A.
In workspace1, install a solution.
B.
In sub1, register a provider
C.
From Security Center, create a Workflow automation
D.
In workspace1, create a workbook
In workspace1, install a solution.
Page 5 out of 16 Pages |
Previous |