6.2. Keyword Mapping and Distractor Identification
💡 First Principle: Exam questions contain keywords that signal specific answers. Think of it like a treasure map—certain phrases are X marks that point directly to the correct answer. Learning to recognize these patterns accelerates your response time and improves accuracy. You'll know what the question is really asking before you finish reading it.
Without this skill, what happens? You waste precious minutes re-reading questions, second-guessing yourself, and falling for traps that exploit common misconceptions. Candidates who master keyword recognition typically finish with 15-20 minutes to spare for review—those who don't often run out of time.
Consider this scenario: a question mentions "time-limited access to a single table in Azure Storage." The phrase "time-limited" signals SAS tokens, and "single table" signals Service SAS (not Account SAS). Two keywords, one definitive answer. The distractor will likely be Account SAS or storage firewall rules—both plausible but incorrect for this specific combination.
Distractor options are intentionally plausible. They represent common misconceptions (confusing Application Administrator with Cloud Application Administrator), similar-sounding services (Private Link vs. Private Endpoint), or partial solutions (WAF without DDoS Protection). Training yourself to recognize these traps is as valuable as memorizing correct answers—perhaps more so, because the exam writers specifically design questions to exploit these confusion points.
| If you see this keyword... | Look for this answer... | Common Distractor |
|---|---|---|
| "Without additional cost" + MFA | Authenticator, SMS, Voice call | FIDO2 keys, OATH hardware tokens |
| "Cannot restart VM" + custom role | Missing read permission | Missing login permission |
| "Assign users to enterprise apps" | Cloud Application Administrator | Application Administrator |
| "Resource Policy Contributor" | Create/modify policies | Compliance Administrator (Entra role) |
| "Certificate credentials" for app | Secure, not transmitted | Client secrets |
| "Multitenant, Azure only" | AzureADMultipleOrgs | AzureADandPersonalMicrosoftAccount |
| "Restrict app registration" | "Users can register" = No + Application Developer | Cloud App Admin to all users |
| "10-100 Gbps encrypted" | ExpressRoute Direct with MACSec | VPN Gateway, standard ExpressRoute |
| "Azure Cosmos DB firewall" | Add web app outbound IPs + Allow Azure Portal | Add user IP to firewall |
| "Route through firewall" | User-defined routes to firewall private IP | VPN Gateway |
| "Private Link service" | Provider side (offer service) | Private Endpoint (consumer side) |
| "Service endpoints - count" | One per subnet | One per VNet |
| "App Service in VNet subnet" | Isolated tier (ASE) | Standard tier |
| "Gateway required integration" | Different regions | Same region |
| "SSL offload at edge" | Azure Front Door | Application Gateway |
| "Web vulnerabilities" | WAF | DDoS Protection |
| "DDoS attacks" | DDoS Protection Standard | WAF |
| "Firewall rule priority" | 100-65000 (100 highest) | Priority 0 |
| "az acr login" | Authenticate to ACR | az acr config |
| "Time-limited storage access" | SAS with expiry | Shared key |
| "Single table access" | Service SAS | Account SAS |
| "IP restriction per file (many files)" | Service SAS with signedIP | Storage firewall |
| "Revoke compromised SAS" | Regenerate storage account keys | Disable public access |
| "Public blob access - least privilege" | Blob level (not Container) | Container level |
| "Always Encrypted - supports" | Encrypting existing data | Copying between columns |
| "Duplicate audit entries" | Disable database-level auditing | Disable server auditing |
| "DBAs cannot see data" | Always Encrypted | TDE |
| "Mask credit card (verify last 4)" | partial(0,"XXXX-XXXX-XXXX-",4) | default() |
| "UNMASK permission" | See original masked data | See all data |
| "Tag policy - deny creation" | effect: deny | effect: append |
| "Tag inheritance - skip RGs" | indexed mode | all mode |
| "Key Vault - read/write keys" | Key Vault Crypto Officer | Key Vault Secrets Officer |
| "Soft delete + purge protection" | Cannot permanently delete | HSM-protected vault |
| "GDPR compliance" | Custom standard required | Built-in initiative |
| "AWS, GCP, GitHub, Azure DevOps" | Defender for Cloud supported | Alibaba Cloud, Oracle Cloud |
| "Permissions creep" | CIEM / Permissions Management | PIM (for Azure-only) |
| "Agentless Scanning (2026)" | Snapshot-based assessment (No agents) | MDE/Qualys agents only |
| "Snapshot-based methodology" | VM disk -> Snapshot -> Secure Engine | Runtime behavioral analysis |
| "Azure Functions agentless" | Dependency/File scanning (PaaS) | Code-level SDKs only |
| "Multi-cloud Agentless" | Azure, AWS (EC2), GCP (Compute) | Azure-only scanning |
| "Unused role assignments (2026)" | CIEM detection method | Sign-in activity only |
| "90-day CIEM lookback" | Extended detection window | 30-day window |
| "Code-to-cloud visibility" | Defender for DevOps | Defender for Servers |
| "IaC Scanning (Terraform/Bicep)" | DevOps security findings | Azure Policy only |
| "SBOM (Software Bill of Materials)" | Supply chain security | Managed Identity |
| "Prompt injection" | Content filtering & safety settings | NSGs/Firewalls only |
| "AI agent discovery" | Microsoft Copilot Studio | Azure AI Foundry |
| "Generative AI - Private access" | Private Endpoints for Azure OpenAI | Service Endpoints |
| "AI Attack surface discovery" | Defender for Cloud AI Security | Microsoft Sentinel connectors |
| "External attack surface" | Defender EASM | Defender for Cloud policies |
| "SQL vulnerability scan frequency" | Once per week (fixed) | Configurable |
| "SQL scan results location" | Azure Storage account | Log Analytics only |
| "Azure Functions connector" | Read/write Functions permission | Workspace permissions |
| "Alert per VM in resource group" | Single rule + split by dimension | Individual rules per VM |
| "Send logs to external SIEM" | Event Hubs | Azure Storage |
| "Standardized Account Entities" | Logic for cross-entity correlation | Static mapping only |
| "Sentinel MCP Server" | AI Context Protocol for SecOps | Standard data connector |
| "Integrated Data Lake" | ADX for long-term retention | Log Analytics only |
| "Analytics vs. Basic vs. Archive" | Cost optimization tiers | Hot vs. Cold storage only |
| "UEBA (Anomalous Behavior)" | Baseline profiling & Risk scoring | Signature-based detection |
| "SOAR Playbooks" | Logic Apps for automated response | Azure Automation accounts |
| "Impossible Travel" | UEBA detection pattern | Static IP blocklist |
| "Proactive Hunting" | Using KQL to find IoCs | Waiting for analytics alerts |
| "Incident Enrichment" | Automated VirusTotal/Whois lookup | Manual investigation |
| "Cross-Entity Correlation" | Unified incident grouping | Single alert management |
