Sample Questions and Answers
What is the primary use of Microsoft Sentinel “Playbooks”?
To visualize data
B. To automate incident response tasks
C. To ingest data
D. To create user accounts
Answer: B
Explanation: Playbooks automate workflows like notifications and remediation.
Which Microsoft Sentinel feature allows you to schedule periodic automated threat hunting queries?
Workbooks
B. Scheduled Analytics Rules
C. Watchlists
D. Playbooks
Answer: B
Explanation: Scheduled Analytics Rules can run queries on a set schedule to detect threats proactively.
What is the function of the “Data Collection Rule” (DCR) in Microsoft Sentinel?
Defines how data is ingested from different sources into the Log Analytics workspace
B. Configures alert severity levels
C. Automates incident response
D. Manages user access
Answer: A
Explanation: DCRs specify what data is collected and how from various agents and resources.
Which Microsoft Sentinel feature helps identify compromised user accounts based on unusual sign-in patterns?
UEBA (User and Entity Behavior Analytics)
B. Fusion
C. Watchlists
D. Playbooks
Answer: A
Explanation: UEBA detects behavioral anomalies indicating potential compromise.
How can you ingest security logs from Amazon Web Services (AWS) into Microsoft Sentinel?
Native AWS connector in Sentinel
B. Using Syslog or custom API integration
C. Using Azure AD connector
D. It is not possible to ingest AWS logs
Answer: B
Explanation: Logs can be ingested via Syslog or API-based custom connectors.
Which of the following is NOT a valid data source for Microsoft Sentinel connectors?
Microsoft Defender for Office 365
B. Azure Firewall
C. Salesforce CRM logs
D. Cisco ASA Firewall logs
Answer: C
Explanation: Salesforce CRM logs are not natively supported; custom ingestion required.
What is the maximum retention period for data in Azure Log Analytics (which backs Microsoft Sentinel)?
30 days
B. 90 days
C. 730 days (2 years)
D. Unlimited
Answer: C
Explanation: Retention can be configured up to 730 days; longer storage requires archiving.
How does Microsoft Sentinel utilize “Watchlists” in detection?
To automatically quarantine devices
B. To enrich alerts with contextual data such as known suspicious IPs or users
C. To generate backup logs
D. To filter user access
Answer: B
Explanation: Watchlists add external reference data to improve detection accuracy.
What action can be automated by a Microsoft Sentinel Playbook?
Running KQL queries
B. Sending email notifications upon alert trigger
C. Ingesting new data sources
D. Updating user permissions
Answer: B
Explanation: Playbooks can automate notifications, isolating devices, or other response actions.
Which Microsoft Sentinel feature helps reduce duplicate or related alerts?
Fusion
B. Watchlists
C. Workbooks
D. Data Connectors
Answer: A
Explanation: Fusion correlates alerts from different sources to reduce noise.
What is the primary role of Microsoft Sentinel’s “Incidents”?
Represent a collection of related alerts grouped for investigation
B. Store raw log data
C. Visualize trends in a dashboard
D. Automate backup processes
Answer: A
Explanation: Incidents organize alerts into actionable cases.
Which authentication method is required to connect Azure AD logs to Microsoft Sentinel?
OAuth 2.0
B. API Key
C. Kerberos
D. Basic Auth
Answer: A
Explanation: OAuth 2.0 is used to securely authenticate and authorize Azure AD data connectors.
What capability does the Microsoft Sentinel “Threat Intelligence” feature provide?
Real-time blocking of attacks
B. Integration and management of external threat intelligence feeds
C. Data backup and recovery
D. User account management
Answer: B
Explanation: It allows importing and using threat intel for detection and enrichment.
Which Azure service is used to build automated workflows called “Playbooks” for Microsoft Sentinel?
Azure Functions
B. Azure Logic Apps
C. Azure Automation
D. Azure DevOps
Answer: B
Explanation: Playbooks are built using Azure Logic Apps.
What kind of alert rule would you use to detect a specific known malicious activity based on signatures?
Machine learning based alert
B. Scheduled alert with custom query
C. Signature-based analytics rule
D. Behavioral analytics rule
Answer: C
Explanation: Signature-based rules detect known attack patterns.
Which is the primary programming or query language used for threat hunting in Microsoft Sentinel?
SQL
B. Python
C. KQL (Kusto Query Language)
D. PowerShell
Answer: C
Explanation: KQL is used for querying Log Analytics data.
How can Microsoft Sentinel help in mitigating phishing attacks?
By scanning emails for malicious links and attachments through integration with Defender for Office 365
B. By blocking all external emails
C. By disabling user email accounts
D. By removing all links in emails
Answer: A
Explanation: Integration with Defender for Office 365 helps detect and respond to phishing.
Which Microsoft Sentinel feature provides an overview of security posture and alerts in a single view?
Incidents dashboard
B. Workbooks
C. Playbooks
D. Data Connectors
Answer: B
Explanation: Workbooks offer customizable dashboards for overview and analysis.
What does the “Fusion” feature in Microsoft Sentinel primarily aim to detect?
Simple port scans
B. Complex multi-stage attacks by correlating alerts
C. Data encryption
D. User sign-in errors
Answer: B
Explanation: Fusion detects complex attack chains by correlating multiple alerts.
What is the minimum role required to manage Microsoft Sentinel workspace settings?
Azure Security Reader
B. Log Analytics Contributor
C. Microsoft Sentinel Responder
D. Microsoft Sentinel Contributor
Answer: D
Explanation: The Contributor role grants permissions to manage Sentinel workspace and settings.
Which Microsoft Sentinel tool helps you visualize and explore relationships between entities during investigations?
Entity Mapping
B. Fusion
C. Watchlists
D. Playbooks
Answer: A
Explanation: Entity Mapping shows links between users, IPs, devices, etc.
What type of data source is Windows Defender ATP (now Defender for Endpoint) considered in Microsoft Sentinel?
Network data source
B. Endpoint data source
C. Email data source
D. Identity provider
Answer: B
Explanation: Defender for Endpoint provides endpoint telemetry.
How does Microsoft Sentinel ensure data compliance with regulatory standards?
By encrypting all data and providing audit logs for access
B. By deleting data after 7 days
C. By disabling alerts during audits
D. By requiring user approval for all queries
Answer: A
Explanation: Sentinel encrypts data and offers logs for compliance audits.
Which component in Microsoft Sentinel allows for importing threat intelligence indicators?
Data Connectors
B. Watchlists
C. Threat Intelligence Platforms
D. Analytics Rules
Answer: B
Explanation: Watchlists can import TI indicators to enhance detection.
What type of Microsoft Sentinel analytics rule uses machine learning to detect suspicious activities?
Fusion
B. Behavioral analytics rule
C. Scheduled alert
D. Watchlist alert
Answer: B
Explanation: Behavioral analytics rules leverage ML models for anomaly detection.
What is the maximum number of playbooks that can be associated with a single Microsoft Sentinel analytics rule?
1
B. 5
C. 10
D. Unlimited
Answer: D
Explanation: There is no fixed limit; multiple playbooks can be linked to a rule.
How can you export Microsoft Sentinel incidents for external reporting?
Via Playbooks only
B. Using Azure Logic Apps or API export options
C. Incidents cannot be exported
D. Only manually via screenshots
Answer: B
Explanation: Sentinel provides APIs and Logic Apps for exporting incidents.
What does the “Incident Triage” process involve in Microsoft Sentinel?
Assigning severity, grouping, and investigating alerts to prioritize response
B. Automatically deleting alerts
C. Creating new users
D. Encrypting logs
Answer: A
Explanation: Triage helps prioritize and analyze incidents efficiently.
Which Microsoft Sentinel feature provides machine learning-based detections with predefined queries?
Fusion
B. Built-in analytics rules
C. Playbooks
D. Workbooks
Answer: B
Explanation: Built-in analytics rules include ML-based detections.
What kind of logs does Azure AD Identity Protection send to Microsoft Sentinel?
Sign-in risk logs and compromised account alerts
B. Firewall logs
C. Network traffic logs
D. Application error logs
Answer: A
Explanation: Identity Protection sends risk and compromise detection logs.
Which Microsoft Sentinel capability is designed to enhance collaboration during incident investigations?
Playbooks
B. Comments and tagging within incidents
C. Data Connectors
D. Watchlists
Answer: B
Explanation: Comments and tagging help teams share insights in incident management.
Reviews
There are no reviews yet.