6.3.4. Defender for Cloud and Sentinel Questions

Question 10

Your organization needs to assess compliance against GDPR requirements using Microsoft Defender for Cloud.

What should you do?

• A. Enable the built-in GDPR compliance initiative
• B. Create a custom compliance standard
• C. Use the Azure Security Benchmark
• D. Enable Defender CSPM

Answer: B

Explanation: GDPR is not available as a built-in compliance standard. You must create a custom initiative. Azure Security Benchmark is a general security framework, not GDPR-specific.

Question 11

You have 500 VMs including 100 legacy systems that cannot support security agents. You need vulnerability scanning for all VMs.

What should you enable?

• A. Defender for Servers Plan 1
• B. Defender for Servers Plan 2 with agentless scanning
• C. Microsoft Defender for Endpoint on all VMs
• D. Third-party vulnerability scanner

Answer: B

Explanation: Agentless scanning (Plan 2) uses snapshot-based assessment that works on all VMs regardless of OS support. Plan 1 doesn't include vulnerability scanning. MDE requires agent installation. Third-party scanners also typically require agents.

Question 12

You need to send security alerts to an external SIEM in real-time.

Which service should you configure?

• A. Export to Azure Storage account
• B. Export to Log Analytics workspace
• C. Export to Event Hub
• D. Export to Azure Data Explorer

Answer: C

Explanation: Event Hubs enable real-time streaming to external systems. Storage doesn't support real-time streaming. Log Analytics is for internal analysis. ADX is for long-term retention.

Question 13

You want to monitor all VMs in a resource group for CPU > 80%. You need a single alert rule that creates separate alerts per VM.

How should you configure the alert?

• A. Create one alert rule per VM
• B. Create one alert rule and split by dimension
• C. Create an action group with multiple targets
• D. Use Azure Automation runbooks

Answer: B

Explanation: "Split by dimension" creates individual alert instances per resource when using a resource group scope. This provides VM-specific alerts from a single rule definition.

Question 14

You can add most data connectors to Microsoft Sentinel but cannot add an Azure Functions-based connector.

What permission do you need?

• A. Log Analytics Contributor on the workspace
• B. Read and write permissions for Azure Functions
• C. Microsoft Sentinel Contributor
• D. Reader on the subscription

Answer: B

Explanation: Azure Functions-based connectors require permissions to the Azure Functions resource itself, not just the Log Analytics workspace. Other connectors only need workspace permissions.

Question 15

An analyst needs to detect when a user logs in from two countries within 2 hours.

Which Sentinel feature should be configured?

• A. Scheduled analytics rule with KQL
• B. UEBA with impossible travel detection
• C. Custom threat intelligence feed
• D. Machine learning anomaly rule

Answer: B

Explanation: "Impossible travel" is a built-in UEBA detection pattern specifically designed for this scenario. It automatically calculates travel time between locations and flags physically impossible logins.

Question 16

You need to protect an Azure OpenAI deployment from prompt injection attacks while ensuring responses don't contain harmful content.

What should you configure? (Choose 2)

• A. Private Endpoint
• B. Content Filtering with safety categories
• C. Azure Firewall Premium
• D. AI Guardrails / Safety System

Answer: B and D

Explanation: Content Filtering blocks harmful inputs/outputs. AI Guardrails detect and prevent prompt injection attempts. Private Endpoints secure network access but don't protect against application-layer attacks like prompt injection. Azure Firewall doesn't understand AI-specific threats.

Question 17

Your organization wants to identify service accounts with excessive permissions across Azure, AWS, and GCP.

Which feature should you use?

• A. Microsoft Entra PIM
• B. Cloud Infrastructure Entitlement Management (CIEM)
• C. Azure Policy with custom initiatives
• D. Defender for Cloud Secure Score

Answer: B

Explanation: CIEM (Permissions Management) specifically analyzes identity permissions across multi-cloud environments. PIM is Azure-only and for human access. Azure Policy doesn't analyze cross-cloud entitlements. Secure Score measures security posture but doesn't specifically address permissions creep.

Question 18

You need to keep firewall "permit" logs for 7 years but minimize costs.

Which Sentinel data tier should you use for logs older than 90 days?

• A. Analytics tier
• B. Basic tier
• C. Archive tier
• D. Hot tier

Answer: C

Explanation: Archive tier is designed for long-term compliance retention at the lowest cost. Analytics tier is expensive for high-volume logs. Basic tier is for noisy operational logs, not long-term archival. Hot tier isn't a Sentinel concept.

Question 19

A developer attempts to merge Terraform code that creates a public SQL Server. You want to automatically block the merge.

What should you configure?

• A. Azure Policy with deny effect
• B. Defender for DevOps with IaC scanning
• C. Microsoft Sentinel analytics rule
• D. Azure Firewall application rules

Answer: B

Explanation: Defender for DevOps includes IaC scanning that runs in the CI/CD pipeline and can block merges with security findings. Azure Policy acts on deployed resources, not pull requests. Sentinel monitors runtime. Firewall doesn't analyze code.

Question 20

You enabled both server-level and database-level auditing on an Azure SQL database and are seeing duplicate entries.

What should you do?

• A. Disable server-level auditing
• B. Disable database-level auditing
• C. Change the storage account
• D. Enable audit log deduplication

Answer: B

Explanation: When both levels are enabled, both write audit entries. Server-level auditing typically provides sufficient coverage for all databases. Disable database-level to eliminate duplicates. There is no deduplication setting.

Question 21

Your organization scans Azure SQL databases weekly for vulnerabilities. Where are the scan results stored?

• A. Log Analytics workspace only
• B. Azure Storage account
• C. Microsoft Defender for Cloud dashboard only
• D. Azure Key Vault

Answer: B

Explanation: Defender for SQL vulnerability assessment requires an Azure Storage account to store scan results. Results are viewable in both the storage account and Defender for Cloud, but storage is the required destination.

Question 22

A security analyst wants to automatically query VirusTotal when an IP address triggers an alert.

What should you configure?

• A. Sentinel analytics rule with entity mapping
• B. Sentinel playbook (Logic App) for incident enrichment
• C. Azure Monitor action group
• D. Data Collection Rule

Answer: B

Explanation: Playbooks (Logic Apps) can trigger on alerts and call external APIs like VirusTotal for enrichment. Analytics rules create alerts. Action groups notify but don't perform complex API calls. DCRs define data collection.

Question 23: Agentless vs Agent-Based

Your security team must implement vulnerability scanning for 500 VMs. The requirements include: real-time threat detection, minimal performance impact, and support for air-gapped VMs. Which approach should you recommend?

• A. Agentless scanning only
• B. Agent-based (MDE) only
• C. Hybrid approach: Agentless for discovery and scheduled scanning, agent-based for real-time protection
• D. Third-party vulnerability scanner

Answer: C

Explanation: The 2026 best practice for comprehensive coverage is a hybrid approach. Agentless scanning provides broad visibility and discovery (including for legacy or air-gapped systems where snapshots can be scanned) with zero performance impact. Agent-based protection (MDE) is required for real-time behavioral analysis and EDR. Agentless alone (A) cannot stop active attacks. Agent-based alone (B) can miss unmanaged systems or impact performance on sensitive workloads.