Auditing sign-ins and Microsoft Sentinel

Question 1

You have a Microsoft 365 tenant with Microsoft 365 E5 licenses. Most of your users are required to use an authenticator app to access Microsoft 365. You need to view which users have used an authenticator app to access Microsoft 365. What should you do?

Accepted Answer

Go to Azure Active Directory admin center and review the sign-in logs.

Question 2

You have a Microsoft 365 tenant with a Microsoft Sentinel workspace. You've been asked by your manager to configure Microsoft 365 so you can manage incidents based on alerts generated by Microsoft Cloud App Security. What do you need to do first?

Accepted Answer

Configure security extensions from the Microsoft Defender for Cloud Apps admin center.

Question 3

You have a Microsoft 365 tenant. Your manager asks you to enable auditing for all Microsoft Exchange Online mailboxes/users. What should you do?

Accepted Answer

Run the Set-Mailbox cmdlet from the Exchange Online PowerShell.

Question 4

You have a Microsoft 365 subscription. You have a user named John Gruber. Several users have full access to the mailbox of John Gruber. Some email messages sent to John Gruber appear to have been read and deleted before the user viewed them. When you search the audit log in Security & Compliance to identify who signed in to the mailbox of John Gruber, the results are blank. You need to ensure that you can view future sign-ins to the mailbox of John Gruber. You run the Set-Maibox -Identity "John Gruber" -AuditEnabled $true command. Does that meet the goal?

Accepted Answer

Yes.

Question 5

Your organization has a Microsoft Sentinel workspace that has a connector configured to Azure AD and Microsoft Office 365. You need to configure a Fusion rule template to detect multistage attacks where users sign in by using compromised credentials. Then they delete multiple files from Microsoft OneDrive. What do you need to do after you create an active rule that has the default settings?

Accepted Answer

Add a workbook.

Question 6

Where can you go to review the location (IP address) when administrators log in to your Microsoft 365 tenant?

Accepted Answer

Sign-ins.

Question 7

You have a Microsoft Sentinel workspace. The workspace has two connectors configured. One for Azure AD and another one for Microsoft Office 365. Your organization has hired a new admin. The new admin will need access to Microsoft Sentinel. Your manager informs you the new admin will need to perform the following: Manage incidents Create and run playbooks Your manager asks you which two roles should you assign to the new user?

Accepted Answer

Contributor. Logic App contributor.

Question 8

Your organization is currently using Microsoft 365. Your manager has asked you where he can go to audit the sign in's of any user with the user administrator role. Where you should tell him to go?

Accepted Answer

Azure Ad Sign-in logs.

Question 9

Your organization has a Microsoft 365 tenant with a user named John Gruber. Multiple users have been granted read and manage (full access) to John Gruber's mailbox. John Gruber found a few emails that were sent to him were marked as read and deleted before he had a chance to review them. You've been asked to see who accessed and deleted the emails. You search the audit log in the Microsoft Defender admin center to see who read and deleted the emails but the audit logs are blank. So your manager has asked you to configure the audit logs so your can view who accessed the mailbox in the future. What Exchange PowerShell commands do you need to run to verify you can see the audit logs in the future?

Accepted Answer

Set-Maibox -Identity "John Gruber" -AuditEnabled $true.

GitBit

Auditing sign-ins and Microsoft Sentinel

Questions for this test