You need to remediate active attacks to meet the technical requirements.
What should you include in the solution?

• A.Azure Automation runbooks
• B.Azure Logic Apps
• C.Azure Functions
  D Azure Sentinel livestreams

Comment: *

Name: *

Email: *

Verification: *

You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop. CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE Each correct selection is worth one point

Correct Answer:

Explanation:

Comment: *

Name: *

Email: *

Verification: *

Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
You need remediate the security risk.
What should you do?

• A.Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.
• B.Modify the properties of the computer objects listed as exposed entities.
• C.Disable legacy protocols on the computers listed as exposed entities.
• D.Enforce LDAP signing on the computers listed as exposed entities.

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel.
You need to identify all the devices that contain files in emails sent by a known malicious email sender. The query will be based on the match of the SHA256 hash.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

To correlate malicious email attachments with endpoints, Microsoft Defender data schemas expose attachment metadata in EmailAttachmentInfo (including the SHA256 hash) and endpoint file activity in DeviceFileEvents (which also records SHA256 for observed files). The recommended investigation pattern is:
(1) filter email telemetry to the suspected sender and keep only attachments with a populated hash; (2) join that result with endpoint file events on the SHA256 hash to find devices where an identical file (by cryptographic hash) was seen. In KQL, isnotempty(SHA256) ensures you only pass attachments with a valid hash to the join, and join ... on SHA256 performs an exact-match correlation across datasets. This method aligns with Defender's guidance to use hash-based correlation as the most reliable way to match artifacts across different security workloads (email vs. endpoint), since filenames and paths can change, but a cryptographic hash uniquely identifies file content. The final project selects operational fields for response- timestamps, file name and hash, device identifiers/names, message IDs, and sender/recipient-so the SOC can quickly pivot to the impacted devices and the original email that delivered the file.

Comment: *

Name: *

Email: *

Verification: *

You use Azure Sentinel to monitor irregular Azure activity.
You create custom analytics rules to detect threats as shown in the following exhibit.

You do NOT define any incident settings as part of the rule definition.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation
Graphical user interface, text, application, email Description automatically generated

Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

Comment: *

Name: *

Email: *

Verification: *