You have a Microsoft subscription that has Microsoft Defender for Cloud enabled You configure the Azure logic apps shown in the following table.

You need to configure an automatic action that will run if a Suspicious process executed alert is triggered.
The solution must minimize administrative effort.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Correct Answer:

Explanation:
A. Configure the Trigger automated response settings in the Azure Security Center or Azure Logic App,
B. Filter by alert title (e.g. "Suspicious process executed").
C. Select "Take action" (e.g. "Mitigate the threat").

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft 365 subscription. You have the following KQL query.
DeviceEvents
| where ActionType == "AntivirusDetection*
You need to ensure that you can create a Microsoft Defender XDR custom detection rule by using the query.
What should you add to the query?

• A.summarize (Timestamp, DeviceHanw)=arg_min(Timestampf DeviceName), count() by Deviceld
• B.sumarize (Timestamp, ReportId)>arg_max(Timestanp, Reportld), count{) by Deviceld
• C.summarize (Timestamp)=range(Timestatip), count() by Deviceld
• D.sumarize (ReportId)=make_set(ReportId), count() by Deviceld

Comment: *

Name: *

Email: *

Verification: *

You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A.Microsoft Sentinel bookmarks
• B.Azure Automation runbooks
• C.Microsoft Sentinel automation rules
• D.Microsoft Sentinel playbooks
• E.Azure Functions apps

Comment: *

Name: *

Email: *

Verification: *

You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.
Which two configurations should you modify? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.

• A.the Onboarding settings from Device management in Microsoft Defender Security Center
• B.Advanced features from Settings in Microsoft Defender Security Center
• C.Cloud App Security anomaly detection policies
• D.the Cloud Discovery settings in Cloud App Security

Comment: *

Name: *

Email: *

Verification: *

Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
* Create and run playbooks
* Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

In Microsoft Sentinel (Defender XDR SIEM), access control is based on Azure RBAC (Role-Based Access Control) to ensure least privilege operations. According to Microsoft's Sentinel role documentation:
* Logic App Contributor: This role is required to create and run playbooks (automated workflows built on Azure Logic Apps). Although Sentinel integrates with Logic Apps, playbook creation and execution permissions are governed by the Logic App Contributor role at the resource group or subscription level where playbooks are deployed. Without this role, a user cannot design or execute automated responses.
* Azure Sentinel Contributor: This role grants permission to create, edit, and delete analytic rules, workbooks, and hunting queries within the Sentinel workspace. It does not allow modifying playbooks or executing automation unless combined with Logic App Contributor. It's the appropriate role for analysts or engineers who manage detection content (rules and visualizations).
The Azure Sentinel Reader role only allows viewing incidents, workbooks, and rules but not editing or creating them. The Sentinel Responder role focuses on handling and closing incidents, not authoring content or automation.
# Final Mapping:
* Create and run playbooks # Logic App Contributor
* Create workbooks and analytic rules # Azure Sentinel Contributor

Comment: *

Name: *

Email: *

Verification: *