You have a custom analytics rule to detect threats in Azure Sentinel.
You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.
What is a possible cause of the issue?

• A.There are connectivity issues between the data sources and Log Analytics.
• B.The number of alerts exceeded 10,000 within two minutes.
• C.The rule query takes too long to run and times out.
• D.Permissions to one of the data sources of the rule query were modified.

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft Sentinel workspace.
A Microsoft Sentinel incident is generated as shewn in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

In Microsoft Sentinel, analysts manage and investigate incidents through the Incident page, which provides multiple investigation and triage tools. The two core aspects of incident analysis relevant here are entity visualization and investigation audit tracking.
* Entity Map (Investigate):
* Selecting Investigate opens the Investigation Graph view in Microsoft Sentinel.
* This interactive map visually displays all the entities (users, IPs, hosts, accounts, files, etc.) related to the alert and their relationships.
* It helps analysts understand how alerts are connected, uncover lateral movements, and explore correlated suspicious activities.
* Microsoft documentation describes this as:
"The investigation graph provides a visual representation of the entities involved in the incident, showing relationships between them to aid root-cause analysis."
* Hence, to view a map of connected entities, choose Investigate.
* Investigation Activities (Comments):
* The Comments tab tracks the activities and analyst notes during the incident lifecycle.
* This includes changes to status, assignments, and documented investigation steps - essentially functioning as an activity log for the incident.
* Microsoft's official Sentinel documentation states:
"The Comments section in the incident pane provides a timeline of analyst interactions, investigation notes, and changes performed on the incident."
* Therefore, to view the list of investigation activities, select Comments.

Comment: *

Name: *

Email: *

Verification: *

You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity.
You need to hide the alerts automatically in Security Center.
Which three actions should you perform in sequence in Security Center? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Correct Answer:

1 - Select Security policy.
2 - Select Suppression rules, and then select Create new suppression rule.
3 - Select Azure Resource as the entity type and specify the ID.
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts-are-now/ba-p/1404920

Comment: *

Name: *

Email: *

Verification: *

You have an Azure subscription that contains the users shown in the following table.

You need to delegate the following tasks:
* Enable Microsoft Defender for Servers on virtual machines.
* Review security recommendations and enable server vulnerability scans.
The solution must use the principle of least privilege.
Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation
A close-up of a computer screen Description automatically generated

Comment: *

Name: *

Email: *

Verification: *

You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to detect failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Topic 1, Litware inc.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.

Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.

Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:




Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection - Data discovery dashboard.
Microsoft Defender for Endpoint Requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security Requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

Comment: *

Name: *

Email: *

Verification: *