You have an Azure subscription that uses Microsoft Defender for Cloud and contains a
storage account named storage1. You receive an alert that there was an unusually high
volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted.
What should you review?

You have an Azure Sentinel deployment in the East US Azure region.
You create a Log Analytics workspace named LogsWest in the West US Azure region.
You need to ensure that you can use scheduled analytics rules in the existing Azure
Sentinel deployment to generate alerts based on queries to LogsWest.
What should you do first?

You have an Azure subscription. The subscription contains 10 virtual machines that are
onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior
on a virtual machine, you receive an email notification. The solution must generate a test
email.
Which three actions should you perform in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.

You need to modify the anomaly detection policy settings to meet the Cloud App Security
requirements. Which policy should you modify?

You are informed of an increase in malicious email being received by users.
You need to create an advanced hunting query in Microsoft 365 Defender to identify
whether the accounts of the email recipients were compromised. The query must return the
most recent 20 sign-ins performed by the recipients within an hour of receiving the known
malicious email.
How should you complete the query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.

You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your
company’s United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains an Microsoft Sentinel workspace.
You need to create a hunting query using Kusto Query Language (KQL) that meets the
following requirements:
• Identifies an anomalous number of changes to the rules of a network security group
(NSG) made by the same security principal
• Automatically associates the security principal with an Microsoft Sentinel entity
How should you complete the query? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.

You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is
linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate
an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365
subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious signins
to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.