Correct Answer: A

To visualize Azure Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC), you can use notebooks in Azure Sentinel.

Notebooks in Azure Sentinel are interactive documents that allow you to run queries, create visualizations, and perform data analysis on your Azure Sentinel data. They also allow you to connect to other data sources, such as third-party

threat intelligence feeds, to enrich the data and identify indicators of compromise (IoCs).

Once you have connected to the third-party data source, you can use Azure Sentinel notebook to blend the data, and create visualizations, and perform data analysis to identify the potential attack.

Reference:

https://docs.microsoft.com/en-us/azure/sentinel/notebooks

Correct Answer: A

Once you have connected your data sources to Microsoft Sentinel, you can visualize and monitor the data using the Microsoft Sentinel adoption of Azure Monitor Workbooks, which provides versatility in creating custom dashboards. While the Workbooks are displayed differently in Microsoft Sentinel, it may be useful for you to see how to create interactive reports with Azure Monitor Workbooks. Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.

Reference: https://docs.microsoft.com/en-us/azure/sentinel/monitor-your-data

Correct Answer: A

Import a list of IoCs

You can choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.

1.

Download the sample CSV to know the supported column attributes.

2.

In the navigation pane, select Settings > Endpoints > Indicators (under Rules).

3.

Select the tab of the entity type you'd like to import indicators for.

4.

Select Import > Choose file.

5.

Select Import. Do this for all the files you'd like to import.

6.

Select Done.

Note: You can create an indicator for:

Files

IP addresses

URLs/domains

Certificates

Incorrect:

Not B: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

Not C: Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators.

Not D: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

Note 2: Create an indicator for IPs, URLs, or domains from the settings page

1.

In the navigation pane, select Settings > Endpoints > Indicators (under Rules).

2.

Select the IP addresses or URLs/Domains tab.

Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators

3.

Select Add item.

4.

Specify the following details:

Indicator - Specify the entity details and define the expiration of the indicator.

Action - Specify the action to be taken and provide a description.

Scope - Define the scope of the machine group.

5.

Review the details in the Summary tab, then select Save.

Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain

Correct Answer: A

When you open Microsoft Sentinel, you are presented with a list of all the workspaces to which you have access rights, across all selected tenants and subscriptions. To the left of each workspace name is a checkbox. Selecting the name of a single workspace will bring you into that workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then select the View incidents button at the top of the page.

https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view

Correct Answer:

Microsoft Sentinel hunting query OperationNameValue ActivityStatusValue EventSubmissionTimeStamp

Microsoft Sentinel hunting query AccountCustomEntity

Box 1: AzureActivity

The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

| where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"

For example, to find out who was the last user to edit a particular analytics rule, use the following query (replacing xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx with the rule ID of the rule you want to check):

AzureActivity

| where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"

| where Properties contains "alertRules/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

| project Caller , TimeGenerated , Properties

Box 2: where

Example:

Find all actions taken by a specific user in the last 24 hours

The following AzureActivity table query lists all actions taken by a specific Azure AD user in the last 24 hours.

AzureActivity

| where OperationNameValue contains "SecurityInsights"

| where Caller == "[AzureAD username]"

| where TimeGenerated > ago(1d)

Reference:

https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data

Correct Answer:

Box 1: bin

bin() rounds values down to an integer multiple of a given bin size.

Used frequently in combination with summarize by .... If you have a scattered set of values, they'll be grouped into a smaller set of specific values.

Null values, a null bin size, or a negative bin size will result in null.

Alias to floor() function.

Syntax

bin(value,roundTo)

The following expression calculates a histogram of durations, with a bucket size of 1 second:

Kusto

T | summarize Hits=count() by bin(Duration, 1s)

Box 2: render

render operator instructs the user agent to render the results of the query in a particular way.

Syntax

T | render Visualization [with ( PropertyName = PropertyValue [, ...] )]

Arguments

Visualization indicates the kind of visualization to use. The supported values are timechart for example.

Reference: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/renderoperator?pivots=azuredataexplorer

Correct Answer:

Box 1: Security Administrator

Azure AD Role

Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel

Prerequisites

To enable or disable this feature (these prerequisites are not required to use the feature):

Your user must be assigned the Global Administrator or Security Administrator roles in Azure AD.

Your user must be assigned at least one of the following Azure roles (Learn more about Azure RBAC):

Microsoft Sentinel Contributor at the workspace or resource group levels.

Log Analytics Contributor at the resource group or subscription levels.

Your workspace must not have any Azure resource locks applied to it. Learn more about Azure resource locking.

Box 2: Microsoft Sentinel Contributor

Azure Role

Reference:

https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics

Correct Answer:

Box 1: IdentityInfo Example: IdentityInfo | where JobTitle == "CONSULTANT" | join hint.shufflekey = AccountObjectId (IdentityDirectoryEvents

| where Application == "Active Directory" | where ActionType == "Private data retrieval") on AccountObjectId

Note: The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Azure Active Directory. Use this reference to construct queries that return information from this table.

AccountObjectId Unique identifier for the account in Azure AD

Department Name of the department that the account user belongs to

Box 2: IdentityLogonEvents The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.

Column names include:

AccountObjectId Unique identifier for the account in Azure AD

Etc.

Incorrect:

Audit Logs (User and group management activity)

SignInLogs (Authentication Activity)

Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table

Correct Answer:

Correct Answer:

Box 1: User1

Enable Microsoft Defender for Servers on virtual machines.

User1 is Security Admin.

Security Admin

View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.

Box 2: User2

Review security recommendations and enable server vulnerability scans.

User2 is Security Reader.

Security Reader

View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.

Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines

Required roles and permissions:

Owner (resource group level) can deploy the scanner

Security Reader can view findings

Incorrect:

Contributor (User3)

Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm