You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You discover a malicious process that was initiated by a file named File1exe on a device named Device1.
You need to create a KQL query that will identify when File1.exe was created. The solution must meet the following requirements:
* Return the FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine columns.
* Minimize the volume of data returned.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:
To find when a file was created in Microsoft Defender XDR (Advanced Hunting), you query the DeviceFileEvents table, which records file system activities such as FileCreated. Filtering by DeviceName
== "device1", ActionType == "FileCreated", and FileName == "File1.exe" limits the scope to only the creation of the specific executable on the specified device, minimizing scanned data. To minimize the returned dataset to just the needed columns, you then use project-keep to keep FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine (and only essential columns retained by KQL).
Complete query:
DeviceFileEvents
| where DeviceName == "device1"
and ActionType == "FileCreated"
and FileName == "File1.exe"
| project-keep FileName, InitiatingProcessFileName, InitiatingProcessCommandLine This returns exactly the fields required to understand which process created File1.exe and with what command line, while keeping the result set lean.

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft Sentinel workspace that contains a custom workbook.
You need to query the number of daily security alerts. The solution must meet the following requirements:
* Identify alerts that occurred during the last 30 days.
* Display the results in a timechart.
How should you complete the query? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Correct Answer:

Explanation:

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You have the on-premises devices shown in the following table.

You are preparing an incident response plan for devices infected by malware. You need to recommend response actions that meet the following requirements:
* Block malware from communicating with and infecting managed devices.
* Do NOT affect the ability to control managed devices.
Which actions should you use for each device? To answer, select the appropriate options in the answer are a. NOTE: Each correct selection is worth one point.

Correct Answer:

Comment: *

Name: *

Email: *

Verification: *

You have an Microsoft Sentinel workspace named SW1.
You plan to create a custom workbook that will include a time chart.
You need to create a query that will identify the number of security alerts per day for each provider.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

To create a custom workbook in Microsoft Sentinel that displays the number of security alerts per day for each provider, you need to use Kusto Query Language (KQL) functions designed for data aggregation and visualization.
* Using bin(TimeGenerated, 1d)
* The bin() function in KQL is used to group data into time intervals (bins).
* In this case, you want to aggregate alerts by day, so the correct syntax is:
* bin(TimeGenerated, 1d)
* This ensures that the query counts all alerts that fall within each 1-day time window.
* The summarize operator then counts the number of alerts for each ProviderName per day.
* Example:
* summarize count() by ProviderName, bin(TimeGenerated, 1d)
* Using render timechart
* After summarizing data, you use the render operator to specify how the results should be visualized in the Sentinel workbook.
* The timechart rendering type creates a line chart or bar chart where the x-axis represents time (here, days) and the y-axis represents alert counts.
* This visualization helps security analysts quickly see trends and patterns of alert volume per provider over time.
* Example:
* render timechart
* Complete Query Example:
* SecurityAlert
* | where TimeGenerated >= ago(30d)
* | summarize count() by ProviderName, bin(TimeGenerated, 1d)
* | render timechart
This query counts the number of security alerts for each provider (such as Microsoft Defender for Endpoint, Defender for Cloud, etc.) over the last 30 days, grouping results by day and plotting them visually in a time chart.
# Final answer:
* Aggregation: bin(TimeGenerated, 1d)
* Visualization: render timechart

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Comment: *

Name: *

Email: *

Verification: *