HOTSPOT -
You have a Microsoft 365 subscription.
You are planning a threat management solution for your organization.
You need to minimize the likelihood that users will be affected by the following threats:
✑ Opening files in Microsoft SharePoint that contain malicious content
✑ Impersonation and spoofing attacks in email messages
Which policies should you create in the Microsoft 365 Defender? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: ATP Safe Attachments -
ATP Safe Attachments provides zero-day protection to safeguard your messaging system, by checking email attachments for malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to the mailbox.
Box 2: ATP anti-phishing -
ATP anti-phishing protection detects attempts to impersonate your users and custom domains. It applies machine learning models and advanced impersonation- detection algorithms to avert phishing attacks.
ATP Safe Links provides time-of-click verification of URLs, for example, in emails messages and Office files. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click: safe links remain accessible and malicious links are dynamically blocked.
References:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp#configure-atp-policies
You have a Microsoft 365 subscription.
All users have their email stored in Microsoft Exchange Online.
In the mailbox of a user named User1, you need to preserve a copy of all the email messages that contain the word ProjectX.
What should you do first?
Answer:
D
A DLP policy contains a few basic things:
Where to protect the content: locations such as Exchange Online, SharePoint Online, and OneDrive for Business sites, as well as Microsoft Teams chat and channel messages.
When and how to protect the content by enforcing rules comprised of:
Conditions the content must match before the rule is enforced. For example, a rule might be configured to look only for content containing Social Security numbers that's been shared with people outside your organization.
Actions that you want the rule to take automatically when content matching the conditions is found. For example, a rule might be configured to block access to a document and send both the user and compliance officer an email notification.
References:
https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies
You have a Microsoft 365 subscription.
From the subscription, you perform an audit log search, and you download all the results.
You plan to review the audit log data by using Microsoft Excel.
You need to ensure that each audited property appears in a separate Excel column.
What should you do first?
Answer:
A
After you search the Office 365 audit log and download the search results to a CSV file, the file contains a column named AuditData, which contains additional information about each event. The data in this column is formatted as a JSON object, which contains multiple properties that are configured as property:value pairs separated by commas. You can use the JSON transform feature in the Power Query Editor in Excel to split each property in the JSON object in the
AuditData column into multiple columns so that each property has its own column. This lets you sort and filter on one or more of these properties
References:
https://docs.microsoft.com/en-us/microsoft-365/compliance/export-view-audit-log-records
You have a Microsoft 365 subscription.
You need to be notified if users receive email containing a file that has a virus.
What should you do?
Answer:
C
You can create alert policies to track malware activity and data loss incidents. We've also included several default alert policies that help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.
The Email messages containing malware removed after delivery default alert generates an alert when any messages containing malware are delivered to mailboxes in your organization.
Incorrect answers:
A: A spam filter policy includes selecting the action to take on messages that are identified as spam. Spam filter policy settings are applied to inbound messages.
B: A data governance event commences when an administrator creates it, following which background processes look for content relating to the event and take the retention action defined in the label. The retention action can be to keep or remove items, or to mark them for manual disposition.
D: You can inspect email attachments in your Exchange Online organization by setting up mail flow rules. Exchange Online offers mail flow rules that provide the ability to examine email attachments as a part of your messaging security and compliance needs. However, mail flow rules are not used to detect malware in emails.
Reference:
https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies
DRAG DROP -
You have the Microsoft Azure Advanced Threat Protection (ATP) workspace shown in the Workspace exhibit. (Click the Workspace tab.)
The sensors settings for the workspace are configured as shown in the Sensors exhibit. (Click the Sensors tab.)
You need to ensure that Azure ATP stores data in Asia.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Answer:
Your company has five security information and event management (SIEM) appliances. The traffic logs from each appliance are saved to a file share named Logs.
You need to analyze the traffic logs.
What should you do from Microsoft Defender for Cloud Apps?
Answer:
C
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/create-snapshot-cloud-discovery-reports
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.
Your company purchases a Microsoft 365 subscription.
You need to ensure that User1 is assigned the required role to create file policies and manage alerts in the Defender for Cloud Apps admin center.
Solution: From the Defender for Cloud Apps admin center, you assign the App/instance admin role for all Microsoft Online Services to User1.
Does this meet the goal?
Answer:
B
App/instance admin: Has full or read-only permissions to all of the data in Microsoft Defender for Cloud Apps that deals exclusively with the specific app or instance of an app selected.
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/manage-admins
Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD) tenant named contoso.com.
The tenant is configured to use Azure AD Identity Protection.
You plan to use an application named App1 that creates reports of Azure AD Identity Protection usage.
You register App1 in the tenant.
You need to ensure that App1 can read the risk event information of contoso.com.
To which API should you delegate permissions?
Answer:
C
Reference:
https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta
Your company has a Microsoft 365 subscription that uses an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains computers that run Windows 10 Enterprise and are managed by using Microsoft Endpoint Manager. The computers are configured as shown in the following table.
You plan to implement Windows Defender Application Guard for contoso.com.
You need to identify on which two Windows 10 computers Windows Defender Application Guard can be installed.
Which two computers should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
BC
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard
HOTSPOT -
Your company uses Microsoft Defender for Endpoint.
The devices onboarded to Microsoft Defender for Endpoint are shown in the following table.
The alerts visible in the Microsoft Defender for Endpoint alerts queue are shown in the following table.
You create a suppression rule that has the following settings:
✑ Triggering IOC: Any IOC
✑ Action: Hide alert
✑ Suppression scope: Alerts on ATP1 machine group
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
A suppression rule will not affect alerts that are already in the alerts queue. Only new alerts will be suppressed.
