You need to create a query for a workbook. The query must meet the following requirements:
* List all incidents by incident number.
* Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

In Microsoft Sentinel (now part of Microsoft Defender XDR), Kusto Query Language (KQL) is used to create queries for workbooks, analytics rules, and hunting queries. The SecurityIncident table contains all incidents created in Sentinel, including their timestamps, severities, and metadata.
To meet the requirements:
* "List all incidents by incident number" # means grouping results by the field IncidentNumber.
* "Only include the most recent log for each incident" # means you must return only the latest record for each incident.
In KQL, the correct operator for this purpose is summarize arg_max(). The function arg_max (LastModifiedTime, *) returns the row (record) that has the maximum LastModifiedTime for each group- in this case, each unique IncidentNumber-along with all its other columns (indicated by *).
Therefore, the complete and correct query is:
SecurityIncident
| summarize arg_max(LastModifiedTime, *) by IncidentNumber
* summarize aggregates records based on the specified grouping key (IncidentNumber).
* arg_max() selects the latest record based on LastModifiedTime.
This query will return exactly one record per IncidentNumber, corresponding to the most recently modified incident entry-perfectly fulfilling the requirement of showing the latest incident state for each case in a Sentinel workbook.
# Correct selections:
* First dropdown: summarize
* Second dropdown: arg_max

Comment: *

Name: *

Email: *

Verification: *

You have 50 on-premises servers.
You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud deployment has Microsoft Defender for Servers and automatic provisioning enabled.
You need to configure Defender for Cloud to support the on-premises servers. The solution must meet the following requirements:
* Provide threat and vulnerability management.
* Support data collection rules.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Correct Answer:

Explanation:
To configure Defender for Cloud to support the on-premises servers, you should perform the following three actions in sequence:
* On the on-premises servers, install the Azure Connected Machine agent.
* On the on-premises servers, install the Log Analytics agent.
* From the Data controller settings in the Azure portal, create an Azure Arc data controller.
Once these steps are completed, the on-premises servers will be able to communicate with the Azure Defender for Cloud deployment and will be able to support threat and vulnerability management as well as data collection rules. Reference: https://docs.microsoft.com/en-us/azure/security-center/deploy-azure-security- center#on-premises-deployment

Comment: *

Name: *

Email: *

Verification: *

You need to minimize the effort required to investigate the Microsoft Defender for Identity false positive alerts. What should you review?

• A.the resolution method of the source computer
• B.the alert status
• C.the certainty of the source computer
• D.the status update time

Comment: *

Name: *

Email: *

Verification: *

You need to meet the Microsoft Defender for Cloud Apps requirements
What should you do? To answer. select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation

Comment: *

Name: *

Email: *

Verification: *

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You have the on-premises devices shown in the following table.

You are preparing an incident response plan for devices infected by malware. You need to recommend response actions that meet the following requirements:
* Block malware from communicating with and infecting managed devices.
* Do NOT affect the ability to control managed devices.
Which actions should you use for each device? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

Comment: *

Name: *

Email: *

Verification: *