SC-200: Microsoft Security Operations Analyst

Which Microsoft 365 Defender solution can detect an Active Directory Domain compromise?

-Microsoft Defender for Identity

-Microsoft Defender for Endpoint

-Microsoft Defender for Office 365
Click the card to flip 👆
1 / 175
Terms in this set (175)
Which Microsoft 365 Defender solution can detect an Active Directory Domain compromise?

-Microsoft Defender for Identity

-Microsoft Defender for Endpoint

-Microsoft Defender for Office 365
Microsoft Defender for Identity

- Domain compromise is detected with Microsoft Defender for Identity.
Which Microsoft 365 Defender solution can detect a phishing email?

-Microsoft Defender for Identity

-Microsoft Defender for Endpoint

-Microsoft Defender for Office 365
Microsoft Defender for Office 365

- Phishing email is detected by Microsoft Defender for Office 365.
Which Microsoft 365 Defender solution can detect a malware installation?

-Microsoft Defender for Identity

-Microsoft Defender for Endpoint

-Microsoft Defender for Office 365
Microsoft Defender for Endpoint

- Malware installation is detected by Microsoft Defender for Endpoint.
When you're reviewing a specific incident, which tab is contained on the incident page?

-Networks

-Non-Azure Machines

-Mailboxes
Mailboxes

- The incident page has a tab for mailboxes.
You can classify an Incident as which of the following?

-True alert

-High alert

-Test alert
True alert

- True alert is an option.
The Devices page shows information from which Defender product?

-Microsoft Cloud App Security

-Microsoft Defender for Identity

-Microsoft Defender for Endpoint
Microsoft Defender for Endpoint

- Devices are based on Defender for Endpoint.
How do you protect against identity-based risks by using Azure AD Identity Protection?

-Configure an investigation policy and then remediate.

-Configure a report, remediate, and then configure a policy.

-Configure a policy, investigate by using a report, and remediate.
Configure a policy, investigate by using a report, and remediate.

-Use your risk policy to help you investigate and remediate threats.
You want to analyze risks that describe authentication requests for sign-ins that probably weren't authorized by users. Which type of risks will you analyze?

-User risk

-Sign-in risk

-Authentication risk
Sign-in risk

-Azure AD Identity Protection scrutinizes each authentication request to judge whether it was authorized by the owner of the identity.
Which report would you review to find devices that were identified as part of a detected risk?

-Risky sign-in report

-Risky user report

-Risky registration report
Risky sign-in report

-Information like device details and location details is included in risky sign-in reports.
You want to use a risky sign-in report to find information on risky sign-ins for the past 29 days. How can you access this report?

-You can access and download the report from the Azure portal.

-You can't access the report from the portal because the data isn't retained any longer.

-You can't access the report from the portal, but only if you downloaded it in the first 30 days.
You can access and download the report from the Azure portal.

-The report data is retained for 30 days.
True or false? Microsoft Defender for Office 365 requires an agent to be deployed to all Windows 10 devices in your organization for the best protection. -True -FalseFalse - Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization. No agents are deployed.What describes Safe Attachments from Microsoft Defender for Office 365? -Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. -Protects your users from malicious URLs in a message or in an Office document. -A powerful report that enables your Security Operations team to investigate and respond to threats effectively and efficiently.Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. -Microsoft Defender for Office 365 Safe Attachments protect against unknown malware and viruses, and provide zero-day protection to safeguard your messaging system by rerouting messages and using machine learning to detect malicious intentWhich of the following is not an Attack Simulator scenario? -Spear phishing -Password spray -Bitcoin miningBitcoin mining - Bitcoin mining is not an Attack Simulator scenario.Microsoft Defender for Identity requires an on-premises Active Directory environment. -True -FalseTrue - Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory.Which of the following describes advanced threats detected by Microsoft Defender for Identity? -Reconnaissance -Vertical movements -Bitcoin miningReconnaissance -Microsoft Defender for Identity can identify rogue users and attackers' attempts to gain information such as usernames, users' group membership, IP addresses assigned to devices, resources, and more, using various methods.Which of the following is not a supported integration for Microsoft Defender for Identity? -Microsoft Defender for Endpoint -Microsoft Defender for Cloud Apps -IntuneIntune - Currently, there is no supported integration with Microsoft Defender for Identity and Microsoft Intune.How can you get an at-a-glance overview of the kinds of apps are being used within your organization? -Use Azure Information Protection -Use Conditional Access -Use the Cloud Discovery DashboardUse the Cloud Discovery Dashboard -You can see what kinds of apps are being used, open alerts, and the risk levels of apps in your organization.The Defender for Cloud Apps framework includes which of the following? -Discover and control the use of Shadow IT -Block external traffic -Protect Active DirectoryDiscover and control the use of Shadow IT - The framework includes: Discover and control the use of Shadow IT, protect your sensitive information anywhere in the cloud, protect against cyberthreats and anomalies, and assess the compliance of your cloud apps are all parts of the Defender for Cloud Apps framework.Which of these is a feature of Conditional Access App Control policies? -Remote access -Require multi-factor authentication -Protect on downloadProtect on download -Prevent data exfiltration, protect on download, prevent upload of unlabeled files, monitor user sessions for compliance, block access, and block custom activities are all features of Conditional Access App Control policies.How can you ensure that a file is sent into quarantine for review by an administrator? -When creating a file policy, select Quarantine for admin -When creating a file policy, select Put in admin quarantine -When creating a file policy, select Put in review for adminWhen creating a file policy, select Put in admin quarantine -You need to select Put in admin quarantine to let administrators review files.Which anomaly detection policy triggers an alert if the same user credentials originate from two geographically distant locations within a short time? -Impossible travel -Impossible distance -Impossible twinsImpossible travel -The impossible travel policy is triggered when two user activities originate from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second.Which DLP component is used to classify a document? -Sensitive info types -Retention Policy -Sensitivity labelSensitivity label - The Sensitivity label is applied to a document.In Defender for Cloud Apps, which types of Policy is used for DLP? -Access Policy -File Policy -Activity PolicyFile Policy -File Policy is used for DLP.Which DLP component has the logic to protect content in locations such as SharePoint Online? -Sensitive info types -DLP Policy -Sensitivity labelDLP Policy - The DLP Policy specifies the location.A healthcare employee left work with an unencrypted work laptop, which was stolen days later in a burglary. Data containing sensitive information for 100 patients is on the laptop. This is an example of which type of internal risk? -Regulatory compliance violation -Sabotage -Data leakRegulatory compliance violation -If your business handles the personal, medical, sensitive, or classified data of individuals or government organizations, the law requires you to follow strict compliance regulations.Which one of the following apply to Microsoft Insider Risk Management policies and templates? -Insider risk settings for Privacy and Policy Indicators can be configured to apply for a specific policy. -Microsoft Insider Risk Management policies and templates are for malicious intent violations. -Each policy must have a template assigned in the policy creation wizard before the policy is created.Each policy must have a template assigned in the policy creation wizard before the policy is created. -Insider risk management templates are pre-defined policy conditions that define the types of risk indicators monitored by a policy. Each policy must have a template assigned before creation.If you want to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates, which policy setting do you select? -Indicators -Policy timeframes -Intelligent detectionsPolicy timeframes -Depending on the template, you select the timeframes available are activation window and past activity detection.Configuring a Microsoft Human Resources (HR) data connector is a dependency for which insider risk management template? -Departing employee's data theft template -Data leaks -Offensive language in emailDeparting employee's data theft template -If you configure a policy using the Departing employee data theft template, you'll need to configure a Microsoft 365 HR data connector so that you can import user and log data from 3rd-party risk management and human resources platforms. HR connectors allow you to pull in human resources data from CSV files, including user termination and last employment dates.You create a new policy by stepping through the policy wizard and policy settings. Which of the following is optional when creating a new policy? -The users or groups the policy will apply to -Alert indicators -Specify content to prioritizeSpecify content to prioritize -This is optional, you can assign the sources to prioritize for risky user activity such as SharePoint sites.You want to search for insider risk alerts that occurred in the past 30 days and are high severity risks. The easiest way to accomplish this is to do which of the following? -From the Alerts dashboard search for "last 30 days." -Click "Export" to download a CSV file with all alerts. Import this into Excel and use the filter function. -From the Alerts dashboard, select the Filter control.From the Alerts dashboard, select the Filter control. -You can filter alerts by one of more attributes including Status, Severity, Time detected, and Policy.Which of the case actions opens a new eDiscovery (Premium) case in your Microsoft O365 investigation? -Escalate for investigation -Send a notice -Resolve the caseEscalate for investigation -Escalate the case for employee investigation in situations where additional legal review is needed for the employee's risk activity. This escalation opens a new eDiscovery (Premium) case in your Microsoft 365 organization. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external legal investigations.What is required to deploy Microsoft Defender for Endpoint to Windows devices in your organization? -Subscription to the Microsoft Defender for Endpoint online service. -No action is required. Microsoft Defender for Endpoint is included in the Windows 10 operating system. -License for Microsoft Intune.Subscription to the Microsoft Defender for Endpoint online service. - To deploy Microsoft Defender for Endpoint you require a subscription to the Microsoft Defender for Endpoint online service.Which of the following choices describes threat hunting using Microsoft Defender for Endpoint? -You can proactively inspect events in your network using a powerful search and query tool. -Detecting and blocking apps that are considered unsafe but may not be detected as malware. -Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware.You can proactively inspect events in your network using a powerful search and query tool. -Microsoft Defender for Endpoint advanced threat hunting is a powerful search and query tool built on top of a query language that gives you flexibility.Which of the following is not a component of Microsoft Defender for Endpoint? -Next generation protection -Endpoint detection and response -Cloud device managementCloud device management - Cloud device management is not a component of security administration of Microsoft Defender for Endpoint.The default data retention period in Microsoft 365 Defender for Endpoint is? -One month -Six months -Three monthsSix months - The default is six months.Which of the following options is a valid Microsoft 365 Defender for Endpoint onboarding option for Windows 10 devices? -Group policy -Microsoft Store -General install packageGroup policy - Group policy is a valid deployment option.Which security permission allows the configuration of storage settings? -Manage security settings in Security Center -Manage portal system settings -Advanced commandsManage portal system settings - This permission allows the configuration of storage settings.Which solution is used to control the applications that must earn trust to be run? -Exploit protection -Controlled folder access -Application controlApplication control -Application control is used for trust.Which option below is an attack surface reduction rule that can be configured? -Block PowerShell from executing -Block process creations originating from PSExec and WMI commands -Block content from mobile devicesBlock process creations originating from PSExec and WMI commands -Blocking process creation from PSExec is an attack surface reduction rule that can be configured.Which of the following items is a deployment option? -PowerShell -ASRConfig.exe -Microsoft Deployment SystemPowerShell -PowerShell is a valid deployment option.The security operations analyst has found an interesting event, what should be done to mark it for further review? -Tag -Highlight -FlagFlag - You can Flag events.Which Behavioral blocking can be used with third-party antivirus? -Client behavior blocking. -EDR in block mode -Feedback-loop blockingEDR in block mode - EDR in Block allows for blocking even when third party AV is used.A Windows 10 Device doesn't appear in the device list, what could be the problem? -The Device was renamed. -The Device is missing the latest KBs -The Device hasn't had alerts in the past 30 days.The Device hasn't had alerts in the past 30 days. -You can adjust the time setting to find the device.Which type of information is collected in an Investigation package? -Command History -Prefetch Files -Network transactionsPrefetch Files -Prefetch files are collected.Which of the actions below is a Device action? -Reboot -Reformat device -Isolate deviceIsolate device -You can isolate a device.Which of the following artifact types has an investigation page? -Domain -Hunter Threat ActorDomain -There's an investigation page for Domain.What information is provided by a deep file analysis? -Command history -Registry Modifications -Code change historyRegistry Modifications -Registry modifications are reported.Which information is provided on the user account page? -Associated alerts -Security groups -Threat hunt IDAssociated alerts -This is provided.Which is a valid remediation level? -Semi - require approval for any remediation -Semi - user accounts only -Semi - files onlySemi - require approval for any remediation -This is a valid remediation level.A security operations analyst needs to exclude a custom executable file c:\myapp\myapp.exe, which exclusion type should they use? -File -Extension -FolderFile -File will exclude this specific file from automationIn advanced features, which setting should be turned on to block files even if a third-party antivirus is used? -Enable EDR in block mode -Allow or block file -Automated InvestigationEnable EDR in block mode - EDR in block mode is used with third party antivirusWhich file type can be used to upload Indicators? -JSON -XML -CSVCSV -CSV file format is supported.Which type is an accepted indicator type? -Certificates -Email subject line -Code dataCertificates - Certificates are an indicator type.Which filter is included as part of an Alert notification rule? -Alert Severity -Account -Subject IDsAlert Severity -Alert Severity is a filter option for the rule.In the Vulnerable Devices Report, which graphs show each device counted only once based on the highest level of known exploit? -Vulnerability age graphs -Exploit availability graphs -Severity level graphsExploit availability graphs -The exploit graphs show this informationWhich report lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID? -Event Timeline -Weakness -Software InventoryWeakness -This report is listed by the CVE ID.Which report or dashboard provides a list of the most recently published threat reports? -Vulnerable devices report -Threat protection -Threat AnalyticsThreat Analytics - This dashboard provides a list of the most recently published threats.Which of the following describe Microsoft Defender for Cloud's primary role? -Cloud security facilitation -Cloud workload protection -Cloud configuration managementCloud workload protection -Microsoft Defender for Cloud is for Cloud workload protection.Which Microsoft Defender for Cloud feature enables you to see the topology of your workloads? -Inventory -Secure Score -Network mapNetwork map -Network map is a visualization of your workloads.To make sure Microsoft Defender for Cloud covers all resources in a Subscription, which option do you enable? -Automatic provisioning -Continuous assessments -Coverage typeAutomatic provisioning -Automatic provisioning will install the required agent for the resources.Which is a Windows security events configuration? -Reasonable -Maximum -MinimalMinimal -Minimal is a configuration option.What should you install on a new Azure Windows VM if you aren't using auto provisioning? -Log Analytics Agent -Sysmon -Windows FirewallLog Analytics Agent -You need to install the Log Analytics Agent.Which of these selections is an auto provisioning extension? -Policy Add-on for Kubernetes -Windows Events -Policy for Azure PolicyPolicy Add-on for Kubernetes -Policy Add-on for Kubernetes is an extension.Which is an option to connect your non-Azure computers? -Windows Store -Using Azure Arc enabled servers -From an Excel spreadsheetUsing Azure Arc enabled servers -Using Azure Arc enabled servers is an option to connect.Which resource can Microsoft Defender for Cloud protect in a hybrid environment? -Word Documents -SQL Databases -Cosmos DBSQL Databases -SQL Databases can be protected by Microsoft Defender for Cloud.Which Cloud provider has a Cloud connector in Security Center? -IBM Cloud -GCP -OracleGCP - GCP has a cloud connector.To automatically remediate a recommendation, select which option? -Respond -Remediate -FixFix -The fix option will start the process to automatically remediate.By default, which security policy is assigned to each subscription? -SOC TSP -Azure Security Benchmark -ISO 27001:2013Azure Security Benchmark - Azure Security Benchmark is the default.Defender for Cloud initiatives are defined in? -Azure Policy -Secure Score -WorkbooksAzure Policy -Azure Policy is used to define initiatives.What is a protection provided by Microsoft Defender for DNS? -Malware communicating with C&C server -Malware encrypting data on a Device -Malware enumerating user on a DeviceMalware communicating with C&C server -Command and Control detection over DNS is detected.Microsoft Defender for Containers does which of the following? -Environmental hardening, Vulnerability assessment, and endpoint management -Environmental hardening, User risk management, and Run-time threat protection -Environmental hardening, Vulnerability assessment, and Run-time threat protectionEnvironmental hardening, Vulnerability assessment, and Run-time threat protection -It performs all three of these services.Which feature of Microsoft Defender for Servers examines files and registries of the operating system, application software, and others for changes that might indicate an attack? -Adaptive application controls -Adaptive network hardening -File integrity monitoringFile integrity monitoring -File integrity monitoring examines files.Defender for Cloud employs which advanced security analytics? -Biometric analytics -Power BI -Behavioral analyticsBehavioral analytics -Behavior analytics is used to detect threats.Which Azure technology is used to automate remediation? -Azure Functions -Azure Batch -Azure Logic AppsAzure Logic Apps -Logic Apps is the automation engine.If available, which report provides Attackers tactics, tools, and procedures? -Threat Intelligence -Secure Score -IncidentThreat Intelligence -The threat intelligence report contains attacker information if available.What does the search operator do? -Searches across tables and isn't column-specific. -Searches only data in the last hour. -Searches in columns specified.Searches across tables and isn't column-specific. - The search will search across all columns in tables specifiedWhat are project operators? -Project operators filter a table to the subset of rows that satisfy a predicate. -Project operators create summarized columns and append them to the result set. -Project operators add, remove, or rename columns in a result set.Project operators add, remove, or rename columns in a result set. - project operators control what columns to include, add, remove or rename in the result set of a statement.The dcount() function will do which of the following? -Return a day count on the expression difference provided to the function. -Return a difference count on the expression provided to the function. -Return a distinct count on the expression provided to the function.Return a distinct count on the expression provided to the function. - dcount provides a distinct count.The arg_max() function will do which of the following? -Returns the maximum value for each column passed to the function. -Returns a JSON Array of maximum values for each column passed to the function. -Returns a row selected based on the row having the max value for an expression.Returns a row selected based on the row having the max value for an expression. - The arg_max function returns a row selected based on the row having the max value for an expression.The bin() function provides the most value to which type of chart? -scatterchart -timechart -barcharttimechart - Bin() will round down values to an integer multiple of the given bin size. The timechart displays a time series based on the bin size.Which join flavor contains a row in the output for every combination of matching rows from left and right? -kind=leftouter -kind=inner -kind=fullouterkind=inner -Inner contains a row in the output for every combination of matching rows from left and right.When you're using the join operator, how do you specify fields from each table? -$1.columname and $2.columnname -$left.columname and $right.columnname -$inner.columname and $outer.columnname$left.columname and $right.columnname - The $left and $right preceding the field name specifies the table.When you use union on two tables, do the two tables need matching columns? -No. -Yes. -Only when the project operator is used.No. -The results contain all columns from both tables.Which KQL statement should you use to parse external data into a virtual table? -parse_json -extract -externaldataexternaldata - Use the externaldata operator to create a virtual table from an external source.A Dynamic field contains which of the following items? -Calculated data. -Key-value pair data. -External data.Key-value pair data. - The properties in the field are accessed with the dot notation.To create a virtual table, save your KQL as a which type? -Module. -Function. -Definition.Function. - Functions then can be referenced in other KQL statements.What does Microsoft Sentinel provide? -A solution for checking your security posture in the cloud -An end-to-end solution for security operations -A solution for securely storing keys and secrets in the cloudAn end-to-end solution for security operations -Yes, Microsoft Sentinel gives you an end-to-end solution for security operations. The solution includes visibility, analytics, hunting, incident management, and automation.Which language is used to query data within Microsoft Sentinel? -SQL -GraphQL -KQLKQL -Kusto Query Language (KQL) is a language used for querying data in Log Analytics, which is where Microsoft Sentinel holds its data.Which Azure service stores the log data that is ingested into Microsoft Sentinel? -Azure Data Factory -Log Analytics -Azure MonitorLog Analytics -Log Analytics is the underlying service that stores the log data for Microsoft Sentinel.Within Microsoft Sentinel, which Azure product is used to run automated playbooks in response to alerts? -Log Analytics -Azure Monitor -Azure Logic AppsAzure Logic Apps -Azure Logic Apps is a serverless, no-code solution for automating workflows. It integrates with hundreds of other services, making it a powerful solution for security orchestration, automation, and response (SOAR).Where is your log data stored? -Microsoft Sentinel Workspace -Azure Lighthouse -Log Analytics workspaceLog Analytics workspace - Log Analytics workspace is where the data residesWhich Microsoft Sentinel security role can create workbooks? -Microsoft Sentinel Responder -Microsoft Sentinel Reader -Microsoft Sentinel ContributorMicrosoft Sentinel Contributor -The Contributor role can create workbooks.Why is it important to set the region when creating the Log Analytics workspace? -Specifies where the log data will be stored. -Specifies the timezone the data will be displayed in. -Specifies the log retention periodSpecifies where the log data will be stored. - Region is the data center where your log data is storedWhich table stores Defender for Endpoint logon events? -DeviceLogonEvents -OfficeActivity -SigninLogsDeviceLogonEvents -The Defender for Endpoint data is stored in tables starting with DeviceWhat table contains logs from Windows hosts collected directly to Microsoft Sentinel? -SecurityEvent -AuditLogs -SecurityAlertSecurityEvent -Logs from Windows events are stored in this table.Which table stores Alerts from Microsoft Defender for Endpoint? -SecurityIncident -DeviceEvents -SecurityAlertSecurityAlert - The Alerts will reside in the SecurityAlert table.Which of the following operations is a typical scenario for using a Microsoft Sentinel watchlist? -Creating more alerts to help identify issues. -Export business data as a watchlist. -Responding to incidents quickly with the rapid import of IP addresses.Responding to incidents quickly with the rapid import of IP addresses. -This is a typical scenario for using Microsoft Sentinel watchlist.How do you access a new watchlist named MyList in KQL? -_Watchlist('MyList ') -_GetWatchlist('MyList') -_Getlist('MyList ')_GetWatchlist('MyList') - This is the proper function.In Threat Intelligence, indicators are considered as which of the following? -Strategic -Operational -TacticalTactical - Indicators are considered Tactical Threat Intelligence.Which of these items is an example of a Threat indicator? -Threat Actor Name -Domain Name -Threat CampaignDomain Name - This indicator can be used to query against your log data.What table do you query in KQL to view your indicators? -Indicator -TI Indicator -ThreatIntelligenceIndicatorThreatIntelligenceIndicator -This is the proper table.Where can you see the number of connected Windows hosts? -On the CEF Connector page -On the Agent Management page in Log Analytics -On the Data connectors pageOn the Agent Management page in Log Analytics -This page will display the hosts connected.Which connector provides the log data in an unparsed field? -Azure Active Directory -Syslog -CEFSyslog - The data is stored in the SyslogMessageThe vendor-provided connectors primarily use which of the following? -Azure Activity Connector -Security Events Connector -CEF ConnectorCEF Connector - Most Vendor-provided connectors use the CEF connector.Which table (data type) would you query for the Azure Active Directory data? -OfficeActivity -SigninLogs -SecurityAlertSigninLogs - The connector writes to SigninLogs.Which table (data type) would you query for the Office 365 data? -OfficeActivity -SecurityAlert -SigninLogsOfficeActivity - This connector writes to the OfficeActivity table.Which table (data type) would you query for the Azure Active Directory Identity Protection data? -OfficeActivity -SigninLogs -SecurityAlertSecurityAlert - This connector writes to the SecurityAlert table.Which connector would you use to connect the raw data from Microsoft Defender for Endpoint? -Microsoft Defender for Office 365 -Microsoft Defender for Endpoint -Microsoft 365 DefenderMicrosoft 365 Defender -The connector can be configured to send the raw data from Defender for Endpoint.Which Microsoft security product is part of the Microsoft 365 Defender suite of products? -Microsoft Defender for Cloud Apps -Microsoft Purview Information Protection -Azure Active DirectoryMicrosoft Defender for Cloud Apps - Microsoft Defender for Cloud Apps is part of the Microsoft 365 Defender suite of products.Which table (Data type) does the Microsoft 365 Defender connector write to? -SecurityAlert -CommonSecurityLog -SecurityEventSecurityAlert -The connect ingests alerts.Which connector do you use to collect Windows security events? -Windows Security Events via AMA -Common Event Format -SyslogWindows Security Events via AMA -This connector will collect Windows security events.To collect Sysmon events with the Security Events connector, what is the log name used to collect it in advanced settings? -Microsoft-Windows-Sysmon/Operational -Microsoft-Windows-Sysmon/Events -Microsoft-Windows-Sysmon/LogsMicrosoft-Windows-Sysmon/Operational - This is the log name to enter.Which table contains the ingested Sysmon events? -Event -CommonSecurityLog -SecurityEventsEvent -The Event table contains the ingested logs.The CEF connector writes to which table? -CommonSecurityLog -SecurityEvent -SyslogCommonSecurityLog - The connector writes to the CommonSecurityLogThe CEF connector deploys what type of forwarder? -Syslog -Event -SysmonSyslog - The CEF connector deploys a Syslog forwarderThe CEF connector can be deployed on which platform? -Azure Windows Virtual Machine -On-premises Windows Host -Azure Linux Virtual MachineAzure Linux Virtual Machine - Linux is required.What field contains the unstructured event data? -SyslogData -SyslogEvent -SyslogMessageSyslogMessage -This field contains unstructured data.To create a parser in the Log query window, save the query as which of the following? -Module -Function -TableFunction -A Function is a named KQL query that is access like a regular table.The Syslog connector can be deployed on which platform? -Azure Windows Virtual Machine -On-premise Windows Host -Azure Linux Virtual MachineAzure Linux Virtual Machine - Linux is required.What table do you query in KQL to view your indicators? -"Indicator" -"TIIndicator" -"ThreatIntelligenceIndicator""ThreatIntelligenceIndicator" -This is the proper table.Which version of TAXII is supported? -1.1 -1.0 -2.12.1 -TAXII version 2.0 and 2.1 are supported.Threat Intelligence Platform connector uses which technology to send data to Microsoft Sentinel? -Azure Functions -App Service -Microsoft Graph Security APIMicrosoft Graph Security API -The Microsoft Graph Security API is utilized.Which of the following are not common use cases of analytics rules? -Identifying compromised accounts. -Detecting insider threats. -Visualizing data from Microsoft Sentinel Connectors.Visualizing data from Microsoft Sentinel Connectors. -You cannot visualize the data with analytics rules. You can use Microsoft Sentinel Workbook to present and visualize the data collected from the security connectors.You want to find additional information that explains the analytics template and the rule that is used in detection of the threats. Which section in the analytics rules page provides that information? -Details pane -Header bar -Rules and templates sectionDetails pane -The detailed view pane contains additional information that explains the template and the rule that is used in detection.Which one of the analytics rules can you customize with your own query rules? -Fusion -Machine learning behavior analytics -Scheduled analytic rulesScheduled analytic rules -Scheduled Analytic rules provide the highest level of customization.Which type of the template rules can create incidents based on all alerts generated in Microsoft Defender for Cloud? -Machine learning behavioral analytics -Fusion -Microsoft securityMicrosoft security -Microsoft security template rules can create incidents based on all alerts generated in Microsoft Defender for Cloud.Which one of the template types should you use to create an incident based on all alerts generated in Microsoft Defender for Cloud? -Fusion -Machine learning behavior analytics -Microsoft SecurityMicrosoft Security -Template rules based on the Microsoft security type creates incidents based on all alerts generated in Microsoft Defender for Cloud.Which one of the following template rules are precreated in Microsoft Sentinel Analytics? -Scheduled template rules -Fusion -Machine learning behavior analytics templatesFusion -By default, an alert rule is created by using the Fusion rule template.You want to configure a new KQL code to detect suspicious activity from Azure Activity Logs. In which section can you enter your custom KQL code? -Set rule logic -Incident Settings -Automated responseSet rule logic -In the Set rule logic section, you can define the detection method by specifying the KQL code that will run against the Microsoft Sentinel workspace.Which of the following statements about scheduled query rules is true? -They are precreated by default. -They can only be enabled without customization. -You can create your own query to define the detection of the threat.You can create your own query to define the detection of the threat. -You can use either a predefined or a custom query to detect threats.Due to ongoing maintenance activity, you need to stop receiving alerts from analytic rules temporarily. Which action should you enable on the rule to achieve that configuration? -Delete -Disable -DuplicateDisable -Disabled rules retain all the configuration and will temporary stop creating the alerts from the configured detections, while the rule is disabled.What is the most efficient way to edit an existing analytic rule? -Delete and recreate the alert with the new logic. -Duplicate the rule and modify to achieve the necessary changes. -Create a new rule.Duplicate the rule and modify to achieve the necessary changes. -When you duplicate the rule, you have a startup configuration provided from the original rule, which you can further modify.Automation rules are triggered by? -Incidents -Connectors -WatchlistsIncidents -Automation rules are triggered by incidents.You use a Logic Apps to create a_? -Automation rule -Playbook -WorkbookPlaybook - Playbooks are created with Logic Apps.An Automation rule action can? -Update the incident title -Delete the incident -Change the incident statusChange the incident status - Automation rules can change the incident status.An administrator needs to create a Microsoft Sentinel playbook. The administrator creates a logic app and starts Logic Apps Designer. Which of the following connector should the administrator use as a trigger to your playbook? -Office 365 connector -Microsoft Sentinel Connector -Azure Active Directory ConnectorMicrosoft Sentinel Connector -Microsoft Sentinel playbooks use a Microsoft Sentinel Logic Apps connector to trigger logic app actions.Which one of the following statements describes a feature of Microsoft Sentinel playbooks? -Microsoft Sentinel playbooks contain a set of continuous activities that always run in response to alerts. -The Game catalog contains the latest Microsoft games. -Collections of procedures based on Azure Logic Apps that run in response to an alert.Collections of procedures based on Azure Logic Apps that run in response to an alert. -Microsoft Sentinel Playbooks contain logic apps action that are collections of procedures that run in response to an alertWhat is dynamic content in a logic app? -List of dynamically selected threats. -List of dynamic inputs for the current action. -List of dynamic users.List of dynamic inputs for the current action. -Dynamic Content displays any available outputs from the previous step, which you can use as inputs for the current action.An administrator creates a new playbook to receive a notification each time a user is delegated the role of Global Administrator. Which connector should the administrator select in the logic app? -Azure Active Directory connector. -Connector for Office 365. -Microsoft Sentinel Connector.Microsoft Sentinel Connector. -Microsoft Sentinel playbooks start with a trigger from Microsoft Sentinel Connector.An administrator wants to attach a playbook to an existing incident and starts to investigate the incident. Which option should the administrator select to attach the playbook? -New -Unassigned -Name of the incidentName of the incident -When you select the name of the incident, you can start the process to run a playbook on demand in response to an existing incident.You want to search for a suitable threat detection query or a workbook that you can use for your requirements. Where can you search for such items? -Azure Architecture Center -Microsoft Learn -Microsoft Sentinel repository on GitHubMicrosoft Sentinel repository on GitHub -Microsoft Sentinel repository on GitHub contains out of the box detections, exploration queries, hunting queries, workbooks, and playbooks that will help you to secure your environment and hunt for threats.Which Microsoft Sentinel component is used to generate alerts? -Incidents -Analytic rules -Data connectors -EventsAnalytic rules -Analytic rules can be configured to generate alerts in Sentinel.What is the primary goal of incident management in Sentinel? -Understand the state of security health in Microsoft Azure. -Track and manage issues in Azure. -Track and resolve security issues across your organization's environment. -Manage security roles in your environment.Track and resolve security issues across your organization's environment. -Sentinel incident management helps you track and resolve security issues across your organization's environment.Which of the following is evidence in a Microsoft Sentinel incident? -IP address -Username -Event -Host nameEvent -An event is evidence.A member of Contoso's security team wants to escalate an incident to a member of the Contoso tier 2 security team. Which incident parameter should you change? -Severity -Status -Owner -UsernameOwner -You should change the owner parameter to the user account for the member of the tier 2 security team.What Microsoft Sentinel interface enables someone to view timelines and relationships between incident resources? -Investigation graph -Incident details page -Resource relationships page -Incident statusInvestigation graph -The investigation graph enables you to view timelines and relationships between incident resources.What are Entities? -Data elements -Tables -AlertsData elements - The data elements include such things as Accounts, IP Addresses, HostsIn the timeline of the Entity page, what type of items are an aggregation of notable events relating to the entity? -Alerts -Activities -BookmarksActivities - Activities are the aggregation of events.When you're viewing the investigation graph, what option will show Entity Behavior information? -Entities -Timeline -InsightsInsights - Insights will display Entity Behavior information.When creating a Workspace transformation DCR. What is the name of the virtual table to query? -source -input -targetsource - source is the name of the virtual table.What is an ASIM parser in KQL? -Variable -Function -AggregateFunction -A Parser is a KQL Function.Every schema that supports filtering parameters supports at least the parameter? -createdon -ingestiontime -starttimestarttime - starttime and enttime parameters are the supported filtering parameters.An administrator wants to open a previously saved query. After opening the Logs page in Microsoft Sentinel, which one of the following options must the administrator select? -Queries -Query explorer -Tables paneQuery explorer -The Query Explorer link in the page header helps you access your previously saved queries.The administrator wants to create an analytics rule from the created query. Which option from the queries pane should the administrator select? -Azure Monitor Alert -Microsoft Sentinel Alert -Copy linkMicrosoft Sentinel Alert -A new Microsoft Sentinel alert creates an analytics rule.Which one of the following tools can an administrator use to query data in Microsoft Sentinel? -Structured Query Language (SQL) -PowerShell -Azure Data ExplorerAzure Data Explorer -Azure Data Explorer, which is also known as Kusto, is a log analytics cloud platform optimized for ad-hoc big data queries.Which one of the following characters can an administrator use to separate the commands in the query. -Pipe (|) -Hyphen (-) -Underscore (_)Pipe (|) -You can use the pipe (|) character to separate commands.Which one of the following elements cannot be part of the workbook? -Charts -Tables -VideosVideos -A workbook cannot contain videos.In which section of the Azure AD Sign-in logs workbook can an administrator find information that users are required to perform multifactor authentication (MFA) to validate their identity. -Sign-in Location -Conditional Access status -Sign-ins by Device.Conditional Access status -The Conditional Access status table shows which users are required to perform MFA to validate their identity.Which formatting does Microsoft Sentinel use to format the text in the workbook with text visualization? -Microsoft Word -HTML text formatting -MarkdownMarkdown -The text is edited through a Markdown formatting, which provides different heading and font styles, hyperlinks, tables.An administrator creates a custom workbook and wants to display the data in table. Which visualization steps should the administrator use in the workbook? -Text visualization -Links/Tabs -Grid visualizationGrid visualization -You can use grids visualization to present the data in tables.You can connect Microsoft Sentinel to which repositories? -Azure DevOps only -GitHub only -GitHub and Azure DevOpsGitHub and Azure DevOps - Both repository types are supported.Which content type is supported by content hub solutions? -Advanced Multistage Attack Detection Fusion Rule -Parsers -Search jobParsers - Parsers are supported in a content hub solution.What is the maximum number of repository connections allowed for each Microsoft Sentinel workspace? -3 -5 -105 - Five is the maximum connections for each workspace.Which of the following best describes a good Hypothesis? -is Time-bound -focuses on known Indicators -focuses on all current threatsis Time-bound -The Hypothesis should be time-bound.Threat Hunting is considered which of the following? -Retroactive. -Reactive. -Proactive.Proactive. -You are not waiting for detections to flag an anomaly."We want to check which accounts have run cmd.exe." Why is this hypothesis poor? -Cmd.exe isn't a program. -Accounts aren't associated with the running of cmd.exe -The scope is too broad.The scope is too broad. -Knowing which accounts have run cmd.exe doesn't prove a possible anomaly.Which code syntax is used for Microsoft Sentinel hunting queries? -T-SQL (Transact-SQL) -Kusto Query Language (KQL) -JavaScript Object Notation (JSON)Kusto Query Language (KQL) -Microsoft Sentinel hunting queries are built using the Kusto Query Language (KQL) syntax.How do bookmarks aid in the threat-hunting process? -They enable the hunter to save query results for later reference. -They enable the hunter to track incident status and resolution. -They enable the hunter to create workbooks from query results.They enable the hunter to save query results for later reference.Which of the following can't be used in a livestream query? -Time parameters -Alert data parameters -Event entitiesTime parameters -Time parameters can't be used because livestream queries run continuously.When you're restoring an archive log, what will the table suffix be? _RST _Restore _RSTR_RST -The table will have _RST as the suffix.What is the suffix for the search result tables? _SR _SRCH _SCH_SRCH -The table will have _SRCH as the suffix.Which log types are supported by Search jobs? -Analytics logs only. -Basic logs only. -Analytics logs and Basic logs.Analytics logs and Basic logs. -Both log types are supported.The msticpy package provides which of the following functionality? -Data wrangling -Analyzing data -Creating dataAnalyzing data -The msticpy package has several functions that help security investigators and hunters analyze data.Which is a component of notebooks in Microsoft Sentinel? -Telemetry analyzer -Kernel -WorkbookKernel - Notebooks use the Kernel to parse and execute the code within the notebookWhat coding language is most commonly used in the sample Notebooks? -Python -C# -JavaPython - Python is the most commonly used coding language in the sample notebooks.