Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.3.4. Defender for Cloud and Sentinel Questions

Question 11

You need to ensure resources missing a "CostCenter" tag cannot be created.

Which policy effect should you use?

  • A. Append
  • B. Modify
  • C. Deny
  • D. DeployIfNotExists
Answer: C

Explanation: Deny blocks resource creation when conditions are met (tag missing). Append adds values but doesn't prevent creation. Modify changes properties after creation.

Question 12

You need to implement an Azure Policy initiative for payment processing compliance.

Which initiative should you use?

  • A. Azure Security Benchmark
  • B. CIS Controls
  • C. NIST SP 800-53
  • D. PCI DSS
Answer: D

Explanation: PCI DSS is the standard for payment card industry compliance. Other standards are general security frameworks not specific to payment processing.

Question 13

Your company has a multi-cloud environment. Which three environments does Defender for Cloud support?

  • A. Alibaba Cloud
  • B. Amazon Web Services (AWS)
  • C. Azure DevOps
  • D. Oracle Cloud
  • E. GitHub
Answer: B, C, and E

Explanation: Defender for Cloud supports Azure, AWS, GCP, GitHub, Azure DevOps, and GitLab. Alibaba Cloud and Oracle Cloud are not supported.

Question 14

You set Periodic recurring scans to ON for Defender for SQL vulnerability assessment.

How often will scans run?

  • A. Daily
  • B. Once a week
  • C. Monthly
  • D. At a recurrence you configure
Answer: B

Explanation: Periodic scans run once per week. This is set by Microsoft and cannot be changed.

Question 15

You configure Microsoft Sentinel to connect to data sources. You cannot configure a connector that uses Azure Functions API.

Which permissions should you change?

  • A. Read permissions for the Log Analytics workspace
  • B. Read and write permissions for Azure Functions
  • C. Write permissions for the Log Analytics workspace
  • D. Read permissions for Azure Functions
Answer: B

Explanation: Azure Functions-based connectors require read and write permissions for Azure Functions to create and configure the function app.

Question 16: AI and Generative AI Security

Your organization is deploying an AI chatbot built on Azure OpenAI Service. The security team is concerned about users manipulating the chatbot to reveal training data or bypass content filters. Which Defender for Cloud feature should you enable to detect and block these threats in real-time?

  • A. Microsoft Defender for Containers
  • B. Microsoft Defender for AI workloads with prompt injection detection
  • C. Azure Policy for AI resources
  • D. Microsoft Defender for Key Vault
Answer: B

Explanation: Microsoft Defender for AI workloads (part of the 2026 updates) provides specialized protection for generative AI, including the ability to detect and block prompt injection attacks in real-time. Defender for Containers (A) secures containerized environments but doesn't have native GenAI prompt analysis. Azure Policy (C) can enforce configurations but isn't a real-time threat detection engine for prompts. Defender for Key Vault (D) protects secrets used by the AI but not the model's interactions.

Question 17: AI Security - Prompt Injection

An attacker embeds hidden instructions in a document that an AI assistant processes. When the assistant summarizes the document, it unknowingly executes the hidden instructions and exfiltrates sensitive information. What type of attack is this?

  • A. Direct prompt injection
  • B. Indirect prompt injection
  • C. Model extraction attack
  • D. Training data poisoning
Answer: B

Explanation: Indirect prompt injection occurs when the malicious instructions are placed in data that the AI retrieves or processes (like a document or web page) rather than being typed directly into the prompt by the user. Direct prompt injection (A) involves the user directly typing malicious commands. Model extraction (C) is an attempt to steal the model's parameters. Training data poisoning (D) involves modifying the base dataset used to train or fine-tune the model.

Question 18: CIEM and Multi-Cloud Governance

You are reviewing identity security posture in Defender for Cloud. You need to identify service principals that have been granted permissions but haven't used them. According to the 2026 CIEM update, how does Defender for Cloud identify inactive identities?

  • A. By analyzing sign-in logs for the last 30 days
  • B. By checking for unused role assignments over a 90-day lookback window
  • C. By reviewing audit logs for permission changes
  • D. By monitoring API calls to Azure Resource Manager
Answer: B

Explanation: The 2026 CIEM (Cloud Infrastructure Entitlement Management) update focuses on "Permissions Creep" by analyzing the delta between granted and used permissions. It specifically looks for unused role assignments and has extended the lookback window to 90 days for improved accuracy. Sign-in logs (A) only show authentication, not whether specific permissions were used. Audit logs (C) and ARM monitoring (D) provide raw data but CIEM provides the specific analysis of unused entitlements over the 90-day period.

Question 19: DevOps Security

Your development team uses GitHub for source control and deploys to Azure. The CISO wants unified visibility from code commits to runtime vulnerabilities. Which Defender for Cloud capability should you implement?

  • A. Defender for Servers with MDE
  • B. Defender for DevOps with GitHub connector
  • C. Azure Policy guest configuration
  • D. Microsoft Sentinel DevOps connector
Answer: B

Explanation: Defender for DevOps is the primary tool for "Code-to-Cloud" visibility. By implementing the GitHub connector, security teams can correlate findings from the repository (like secrets or vulnerable dependencies) with the running resources in Azure. Defender for Servers (A) focuses on runtime OS security. Azure Policy (C) enforces resource configuration. While Sentinel (D) can ingest DevOps logs, it doesn't provide the native "Code-to-Cloud" correlation dashboard found in Defender for DevOps.

Question 20: Microsoft Sentinel Evolution

Your SOC analyst notices inconsistent entity naming in Microsoft Sentinel analytics rules, causing correlation failures. What 2026 Sentinel feature addresses this issue?

  • A. Custom entity extraction with KQL
  • B. ASIM (Advanced Security Information Model) normalization
  • C. Standardized account entity naming logic
  • D. Custom log parsing
Answer: C

Explanation: The 2026 Sentinel update introduced standardized account entity naming logic to ensure that identities (Accounts) are identified consistently across all log sources, regardless of how they are named in the raw data (e.g., UPN vs. SamAccountName). While ASIM (B) provides the overall normalization framework, the standardized entity logic is the specific feature that ensures cross-log correlation for security actors. Custom extraction (A) and parsing (D) are manual methods that the standardized logic aims to replace.

Question 21: Microsoft Sentinel Data Lake

Your organization must retain security logs for 7 years for compliance but wants to minimize costs. Most logs are only queried during incident investigations. Which Microsoft Sentinel data tier strategy should you implement?

  • A. Store all logs in Analytics tier with extended retention
  • B. Use Basic tier for all logs with archive after 90 days
  • C. Use Analytics tier for active hunting, Archive tier for long-term retention with ADX integration
  • D. Export all logs to Azure Blob Storage
Answer: C

Explanation: The integrated Data Lake strategy uses three tiers to optimize cost. The Analytics tier is for high-performance querying of recent data. The Archive tier (integrated with ADX) provides low-cost storage for compliance (up to 7 years) while remaining searchable via Search Jobs. Keeping everything in Analytics (A) is prohibitively expensive for 7 years. The Basic tier (B) is for high-volume logs but lacks the long-term retention specialized features of Archive. Exporting to Blob (D) makes the data difficult to query using Sentinel's native KQL tools.

Question 22: Agentless Scanning

Your organization runs a mix of Azure VMs, Azure Functions, and Azure App Service web apps. You need to implement vulnerability scanning with minimal operational overhead. Which statement is TRUE about agentless scanning in 2026?

  • A. Agentless scanning only supports Azure VMs
  • B. Agentless scanning requires Defender for Servers Plan 1
  • C. Agentless scanning now covers VMs, Azure Functions, and Web Apps
  • D. Agentless scanning replaces the need for any agent-based protection
Answer: C

Explanation: In the 2026 update, agentless scanning has been expanded beyond VMs to include PaaS workloads like Azure Functions and Web Apps (App Service). This provides vulnerability visibility without performance impact or code changes. Statement A is outdated. Statement B is incorrect because agentless scanning requires Defender for Servers Plan 2. Statement D is incorrect; for real-time EDR and threat response, agent-based protection (like MDE) is still recommended as part of a hybrid approach.

Question 23: Agentless vs Agent-Based

Your security team must implement vulnerability scanning for 500 VMs. The requirements include: real-time threat detection, minimal performance impact, and support for air-gapped VMs. Which approach should you recommend?

  • A. Agentless scanning only
  • B. Agent-based (MDE) only
  • C. Hybrid approach: Agentless for discovery and scheduled scanning, agent-based for real-time protection
  • D. Third-party vulnerability scanner
Answer: C

Explanation: The 2026 best practice for comprehensive coverage is a hybrid approach. Agentless scanning provides broad visibility and discovery (including for legacy or air-gapped systems where snapshots can be scanned) with zero performance impact. Agent-based protection (MDE) is required for real-time behavioral analysis and EDR. Agentless alone (A) cannot stop active attacks. Agent-based alone (B) can miss unmanaged systems or impact performance on sensitive workloads.