Microsoft Microsoft Certifications MS-500 Questions & Answers

• Question 341:

  HOTSPOT

  Your network contains an Active Directory domain named contoso.com. The domain contains a VPN server named VPN1 that runs Windows Server 2016 and has the Remote Access server role installed.

  You have a Microsoft Azure subscription.

  You are deploying Microsoft Defender for Identity.

  You install a Microsoft Defender for Identity standalone sensor on a server named Server1 that runs Windows Server 2016.

  You need to integrate the VPN and Microsoft Defender for Identity.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Three steps are required to set up VPN monitoring using Defender for Identity

  1.

  Configure RADIUS Accounting on VPN1

  2.

  Enable VPN / RADIUS Accounts in Defender for Identity

  3.

  Enable inbound port 1813 on Server1

  Reference: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step6-vpn

• Question 342:

  DRAG DROP

  Your company has two departments named department1 and department2 and a Microsoft 365 E5 subscription.

  You need to prevent communication between the users in department1 and the users in department2.

  How should you complete the PowerShell script?

  To answer, drag the appropriate values to the correct targets. Each value may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: New-OrganizationSegment Use the New-OrganizationSegment cmdlet to create organization segments for use with information barrier policies in the Microsoft Purview compliance portal.

  Organization Segments are not in effect until you apply information barrier policies.

  Syntax:

  New-OrganizationSegment [-Name]

  -UserGroupFilter

  [-Confirm]

  [-WhatIf]

  []

  Box 2: New-InformationBarrierPolicy

  To define your first blocking policy, use the New-InformationBarrierPolicy cmdlet with the SegmentsBlocked parameter.

  Reference:

  https://docs.microsoft.com/en-us/powershell/module/exchange/new-organizationsegment

  https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies

• Question 343:

  DRAG DROP

  You have a Microsoft 365 E5 subscription. All users use Microsoft Exchange Online.

  Microsoft 365 is configured to use the default policy settings without any custom rules.

  You manage message hygiene.

  Where are suspicious email messages placed by default? To answer, drag the appropriate location to the correct message types. Each option may be used once, more than once, or not at all.

  You may need to drag the split bar between panes or scroll to view content.

  Select and Place:

  

  Correct Answer:

  

• Question 344:

  DRAG DROP

  You have a Microsoft 365 subscription that contains 20 data loss prevention (DLP) policies.

  You need to identify the following:

  1.

  Rules that are applied without Triggering a policy alert

  2.

  The top 10 files that have matched DLP policies

  3.

  Alerts that are miscategorized

  Which report should you use for each requirement? To answer, drag the appropriate reports to the correct requirements. Each report may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll

  to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

• Question 345:

  DRAG DROP

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity. You receive the following alerts:

  1.

  Suspected Netlogon privilege elevation attempt

  2.

  Suspected Kerberos SPN exposure

  3.

  Suspected DCSync attack

  To which stage of the cyber-attack kill chain does each alert map? To answer, drag the appropriate alerts to the correct stages. Each alert may be used once, more than once, or not at all. You may need to drag the split bar between panes or

  scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: Compromised credential

  The following security alerts help you identify and remediate Compromised credential phase suspicious activities detected by Defender for Identity in your network.

  In this tutorial, you'll learn how to understand, classify, remediate and prevent the following types of attacks:

  Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) (external ID 2411)

  Suspected Kerberos SPN exposure (external ID 2410)

  Etc.

  Box 2: Compromised credential

  Box 3: Domain dominance

  The following security alerts help you identify and remediate Domain dominance phase suspicious activities detected by Defender for Identity in your network. In this tutorial, learn how to understand, classify, prevent, and remediate the

  following attacks:

  Suspected DCSync attack (replication of directory services) (external ID 2006)

  Etc.

  Reference:

  https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts https://docs.microsoft.com/en-us/defender-for-identity/domain-dominance-alerts

• Question 346:

  DRAG DROP

  You have a Microsoft 365 E5 subscription.

  You plan to implement Microsoft Sentinel to create incidents based on:

  1.

  Azure Active Directory (Azure AD) Identity Protection alerts

  2.

  Correlated events from the DeviceProcessEvents table

  Which analytic rule types should you use for each incident type? To answer, drag the appropriate rule types to the correct incident types. Each rule type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  Select and Place:

  

  Correct Answer:

  

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom

• Question 347:

  DRAG DROP

  You have an Azure subscription and a Microsoft 365 subscription.

  You need to perform the following actions:

  1.

  Deploy Azure Sentinel.

  2.

  Collect the Microsoft 365 activity log by using Azure Sentinel.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365

• Question 348:

  DRAG DROP

  You have an Azure Sentinel workspace that has an Office 365 connector.

  You are threat hunting events that have suspicious traffic from specific IP addresses.

  You need to save the events and the relevant query results for future reference.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/bookmarks

• Question 349:

  DRAG DROP

  You have a Microsoft 365 E5 tenant that contains three users named User1, User2, and User3.

  You need to assign roles or role groups to the users as shown in the following table.

  

  What should you use to assign a role or role group to each user? To answer, drag the appropriate tools to the correct roles or role groups. Each tool may be used once, more than once, or not at all. You may need to drag the split bar between

  panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide

• Question 350:

  DRAG DROP

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows 10 device named Device1.

  You have a PowerShell script named script1 that collects forensic data and saves the results as a file on the device from which the script is run.

  You receive a Microsoft Defender for Endpoint alert for suspicious activities on Device1.

  You need to run script1 on Device1 and retrieve the output file of the script.

  Which four actions should you perform in sequence in Microsoft 365 Defender portal?

  To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Step 1: Select Initiate Live Response Session. Initiate a live response session on a device

  1.

  Sign in to Microsoft 365 Defender portal.

  2.

  Navigate to Endpoints > Device inventory and select a device to investigate. The devices page opens.

  3.

  Launch the live response session by selecting Initiate live response session. A command console is displayed. Wait while the session connects to the device.

  4.

  Use the built-in commands to do investigative work.

  5.

  After completing your investigation, select Disconnect session, then select Confirm.

  Note: Initiate live response Session

  Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified

  threats in real time.

  Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.

  Step 2: Run the putfile command

  putfile - Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.

  Step 3: Run the run command

  run - Runs a PowerShell script from the library on the device.

  Step 4: Run the getfile command

  getfile - Downloads a file.

  For scenarios when you'd like get a file from a device you're investigating, you can use the getfile command. This allows you to save the file from the device for further investigation.

  Incorrect:

  *

  Select Collect Investigation package.

  Collect investigation package from devices

  As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques

  used by the attacker.

  *

  Run the analyze command

  Analyze - Analyses the entity with various incrimination engines to reach a verdict.

  Reference:

  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts