NNY

Microsoft Defender XDR (Defender for Endpoint decepti on) lets you plant advanced lures such as fake cached credentials on endpoints and raise incidents if an attacker tries to use them. To scope lures only to the finance machines, you first create a device group targeting those endpoints (e.g., using tags or attributes). Defender deception supports scoping rules so that planting occurs only on devices in the selected group—meeting the “finance-only” requirement.

To ensure an incident is created when the fake credentials are used, you configure a Honeytoken ac count (Identities). Honeytokens are decoy identities monitored by Microsoft Defender; any authentication attempt using these credentials generates high-fidelity alerts/incidents. After the honeytoken exists, create an advanced lure (not a basic lure) under Endpoints → Deception, select cached credentials as the lure type, associate it with the finance device group , and tie it to the honeytoken . Defender plants the decoy credentials on a random subset of targeted devices and automatically triggers incidents on attempted use—no custom detection rule required.

Thus, the correct sequence to satisfy all goals with least steps is: create device group → configure honeytoken → create advanced lure .

To integrate on-premises servers into Microsoft Defender for Cloud and support features such as Th reat and Vulnerability Management (TVM) and data collection rules , the servers must first be connected to Azure Arc . Azure Arc allows non-Azure servers to be managed as Azure resources and enables Defender for Cloud capabilities such as endpoint protection , vulnerability management, and compliance assessment.

The correct sequence of steps is:

1️ ⃣ Generate the installation script:

In the Azure portal, navigate to Azure Arc → Servers → Add . From there, select the appropriate subscription and resource group, t hen generate the Azure Arc onboarding script . This script includes registration commands and configuration for the machine to connect to Azure.

2️ ⃣ Install the Azure Connected Machine agent:

On each on-premises server, run the generated script. This installs the Azure Connected Machine agent (Azure Arc agent) , which establishes communication between the on-premises server and Azure. After installation, the server appears as an Arc-enabled machine in the Azure portal.

3️ ⃣ Create an Azure Arc Data Contr oller (if data services are required):

Once the machines are connected, you can configure data services or additional Defender for Cloud features (such as data collection and TVM). The Azure Arc Data Controller provides hybrid data capabilities for managin g and monitoring on-premises workloads.

This sequence aligns with Microsoft’s Defender for Cloud documentation and Arc onboarding best practices, ensuring minimal administrative overhead while enabling full SecOps visibility across hybrid environments.

In Microsoft Se ntinel workbooks, parameters can be referenced directly in KQL. For multi-select parameters that include an All option, the recommended pattern is to check the parameter’s label for “All” and otherwise filter by the selected values. Hence:

where ( " {Operati ons:label} " == " All " or Operation in ({Operations}))

This lets the visual treat All as a single choice while still supporting one or many explicit operations.

You also need a Users parameter, so you’d typically include:

| where UserId in ({Users})

Because the data source is OfficeActivity , to scope to SharePoint and OneDrive activity:

| where OfficeWorkload in ( ' OneDrive ' , ' SharePoint ' )

Finally, to exclude empty site URLs , filter out blanks:

| where Site_Url != ' '

Putting it together (for context):

OfficeAct ivity

| where ( " {Operations:label} " == " All " or Operation in ({Operations}))

| where OfficeWorkload in ( ' OneDrive ' , ' SharePoint ' )

| where UserId in ({Users})

| where Site_Url != ' '

| project Site_Url, UserId, Operation, TimeGenerated

1️ ⃣ Connect-IPPSSession

2️ ⃣ New-ComplianceSearch

3️ ⃣ Start-ComplianceSearch

In Microsoft 365 E5 (which includes Microsoft Purview and Exchange On line), to identify phishing email messages using PowerShell, administrators can perform a compliance content search . The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.

Here’s the correct order and purpose of each cmdlet:

1️ ⃣ Connect-IPPSSession

This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center) .

It’s required before exe cuting any compliance-related PowerShell commands such as creating or starting a search.

Example:

Connect-IPPSSession

2️ ⃣ New-ComplianceSearch

After connecting, use this cmdlet to create a new compliance content search .

You can define parameters such as th e search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).

Example:

New-ComplianceSearch -Name " PhishingSearch " -ExchangeLocation All -ContentMatchQuery ' Subject: " phish " OR Subject: " urgent action required " '

3️ ⃣ Start-ComplianceSearch

Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.

Example:

Start-Complia nceSearch -Identity " PhishingSearch "

Other cmdlets explained:

Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.

Search-UnifiedAuditLog searches the unified audit log , which is used for activity a uditing, not email content searches.

✅ Final Correct Sequence:

Connect-IPPSSession

New-ComplianceSearch

Start-ComplianceSearch

Microsoft Sentinel provides built-in workbooks for oper ational insights. To analyze mean time metrics (Mean Time to Acknowledge, Mean Time to Resolve, Mean Time to Mitigate), the correct workbook is Security Operations Efficiency .

According to Microsoft’s Sentinel documentation:

“The Security Operations Effici ency workbook helps SOC teams monitor and improve operational performance by showing incident trends and key performance indicators such as mean time to acknowledge (MTTA), mean time to resolve (MTTR), and incident closure rates.”

Other options:

Analytics Efficiency – tracks analytic rule performance.

Event Analyzer – provides event data analysis, not MTTA/MTTR.

Investigation Insights – focuses on incident investigation details, not SOC metrics.

✅ Correct workbook: Security Operations Efficiency

In Microsoft Sentinel, to receive near real-time alerts when specific activities occur—such as Azure Storage account key enumeration —you combine two Sentinel capabilities: Livestream and Analytics rules .

Livestream provides real-time monitoring of events based on KQL q ueries. According to Microsoft Sentinel documentation, Livestream “lets you run queries continuously and get notified immediately when results match specific conditions.” This allows SOC analysts to detect ongoing attacks (such as credential enumeration) a s they happen.

Analytics rules provide ongoing automated monitoring and alerting. A scheduled analytics rule runs periodically (for example, every 5 minutes) and gen erates an alert when a defined condition is met. The “Storage account keys enumerated” even t comes from Microsoft Defender for Cloud (or Azure Activity) logs, so you can define a KQL-based rule to detect these activities.

Therefore:

B (Analytics rule): to automatically generate alerts when the condition is met.

C (Livestream): to receive those a lerts or detections in near real-time as they occur.

Together, these meet the requirement for near real-time detection and alerting with minimal manual monitoring.

To create a custom alert suppression rule in M icrosoft Defender for Cloud (formerly Azure Security Center) , you must first have an existing alert to base the suppression rule on. Suppression rules can only be configured for alert types that have already been triggered.

According to Microsoft’s Defende r for Cloud documentation:

“You can create suppression rules for alerts that you’ve already received. To create the rule, locate the specific alert in Security alerts, open it, and then choose ‘Create suppression rule’ from the alert page.”

Therefore, befo re you can create a suppression rule for suspicious use of PowerShell on VM1 , you must first trigger that alert by performing (or simulating) the action that causes it — in this case, generating a PowerShell activity alert on VM1.

The other options are inc orrect:

(A) Workflow automation is used to respond automatically to alerts, not suppress them.

(B) Get-MPThreatCatalog retrieves malware threat details from Windows Defender, not alert data from Defender for Cloud.

(D) Exporting alerts to Log Analytics is for analysis, not suppression configuration.

✅ Correct answer: C. On VM1, trigger a PowerShell alert

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.