You have an Azure subscription that has Azure Defender enabled for all supported
resource types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Azure Security
Center.
You need to test LA1 in Security Center.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace named sws1.
You need to create a hunting query to identify users that list storage keys of multiple Azure
Storage accounts. The solution must exclude users that list storage keys for a single
storage account.
How should you complete the query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on
three devices named CFOLaptop. CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the
answer area.
NOTE Each correct selection is worth one point

You need to create a query for a workbook. The query must meet the following
requirements:
List all incidents by incident number.
Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace.
You need to create a KQL query that will identify successful sign-ins from multiple countries
during the last three hours.
How should you complete the query? To answer, select the appropriate options in the
answer area. 
NOTE Each correct selection is worth one point

You have a Microsoft Sentinel workspace named workspace1 and an Azure virtual
machine named VM1.

You receive an alert for suspicious use of PowerShell on VM1.
You need to investigate the incident, identify which event triggered the alert, and identify
whether the following actions occurred on VM1 after the alert:
The modification of local group memberships
The purging of event logs
Which three actions should you perform in sequence in the Azure portal? To answer, move
the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.

You provision Azure Sentinel for a new Azure subscription. You are configuring the
Security Events connector.
While creating a new rule from a template in the connector, you decide to generate a new
alert for every event. You create the following rule query.

By which two components can you group alerts into incidents? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.

A.

user

B.

resource group

C.

IP address

D.

computer

You have the following advanced hunting query in Microsoft 365 Defender.

You need to receive an alert when any process disables System Restore on a device
managed by Microsoft Defender during the last 24 hours.

Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A.

Create a detection rule.

B.

Create a suppression rule

C.

Add | order by Timestamp to the query.

D.

Replace DeviceProcessEvents with DeviceNetworkEvents

E.

Add DeviceId and ReportId to the output of the query.

You have an Azure Storage account that will be accessed by multiple Azure Function apps
during the development of an application.
You need to hide Azure Defender alerts for the storage account.
Which entity type and field should you use in a suppression rule? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You have an Azure Sentinel deployment.
You need to query for all suspicious credential access activities.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.