A security analyst at a retail company is investigating a Microsoft Sentinel incident that contains multiple alerts related to a single user account. The analyst needs to understand the full sequence of events, from a suspicious sign-in to potential data exfiltration, in a chronological order. Which Microsoft Sentinel feature provides a graphical timeline and allows the analyst to explore related entities for this purpose?
A security operations team is configuring Microsoft Defender for Endpoint. They want to ensure that if a high-confidence phishing URL is detected on a device, the device is automatically isolated from the network, but only if the device belongs to the 'Standard User Workstations' device group. Devices in the 'Executive Laptops' group should not be automatically isolated. Which feature should be configured to achieve this specific, conditional automation?
A consultant is designing a Microsoft Sentinel deployment for a multinational corporation with data centers in North America, Europe, and Asia. To comply with regional data sovereignty laws like GDPR, logs generated within a specific region must be stored in a Log Analytics workspace within that same region. However, the global SOC team, based in North America, needs to hunt for threats and manage incidents across all regions from a single interface. Which Microsoft Sentinel architecture should the consultant recommend?
A security engineer needs to write a KQL query to identify user accounts that have experienced a successful logon from a new country within the last 7 days. The query must compare the logon location to a baseline of countries the user has logged on from in the previous 30 days. Which KQL functions and operators are essential for building this query? (Select TWO)
A manufacturing company's SOC team is concerned about attackers disabling security controls on endpoints. They want to create a Microsoft Sentinel analytics rule that detects when the `vssadmin.exe` command is used to delete shadow copies, a common ransomware tactic. The data source is the `SecurityEvent` table from Windows endpoints. Which KQL query fragment correctly identifies this specific activity?
True or False: In Microsoft Sentinel, a single automation rule can be configured to trigger multiple playbooks simultaneously based on the incident's properties.
A SOC analyst is using Microsoft Defender for Endpoint's live response feature to investigate a potentially compromised device. The analyst needs to upload a forensic analysis script to the device, execute it, and then download the resulting output file for offline analysis. Which sequence of live response commands should the analyst use?
A security team has deployed Microsoft Defender for Cloud and enabled enhanced security features. They receive a high-severity alert indicating that Just-In-Time (JIT) VM access is not enabled for an internet-facing virtual machine. What is the primary risk mitigated by enabling JIT VM access?
A SOC manager wants to create a visual dashboard in Microsoft Sentinel to track the number of incidents by severity and assignee over the past 30 days. The dashboard must be interactive, allowing analysts to filter the data dynamically. Which Sentinel feature is best suited for this requirement?
A company is using Microsoft 365 and has a policy that prohibits employees from using unapproved cloud storage services. A security analyst needs to create a policy in Microsoft Defender for Cloud Apps that will block file uploads to any discovered cloud storage application that has a risk score below 6, while still allowing downloads. What type of policy should the analyst create?