You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:
Box 1: join
An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.
DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"
Box 2: project
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails- devices?view=o365-worldwide

Comment: *

Name: *

Email: *

Verification: *

You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area NOTE: Each correct selection is worth one point.

Correct Answer:

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft Sentinel workspace.
You plan to visualize data from Microsoft SharePoint Online and OneDrive sites.
You need to create a KQL query for the visual. The solution must meet the following requirements:
* Select all workloads as a single operation.
* Include two parameters named Operations and Users.
* In the results, exclude empty values for the site URLs.
How should you complete the query? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Correct Answer:

Explanation:

Comment: *

Name: *

Email: *

Verification: *

You have an Azure subscription that contains a user named User1 and a Microsoft Sentinel workspace named WS1.
You need to ensure that User1 can enable User and Entity Behavior Analytics (UEBA) for WS1. The solution must follow the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft Sentinel workspace named Workspacel that contains a table named CommonSecurityLog. You ingest logs into CommonSecurityLog. CommonSecurityLog has an average log ingestion time of five minutes.
You need to create an analytics rule that has a lookback period of seven minutes and uses the data in the CommonSecurityLog table. The solution must meet the following requirements:
* Prevent the same event from being processed twice.
* Minimize the number of missed events due to log ingestion delays.
How should you complete the KQL query that defines the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

Comment: *

Name: *

Email: *

Verification: *