The "Activity from infrequent country" anomaly detection policy is designed to identify when a user performs an activity from a country/region that has not been recently, or ever, visited by any user in the organization. The system establishes a baseline of normal activity based on the locations of all users. A sign-in from a location that is new to the entire organization triggers this specific alert, directly matching the requirement to be notified when a user signs in from a location never used by others in the organization.

A. Impossible travel: This policy detects when a single user signs in from two geographically distant locations in a time frame that is too short to physically travel between them.

B. Activity from anonymous IP addresses: This policy triggers an alert when a sign-in originates from an IP address associated with an anonymizing service like a VPN or the Tor network, regardless of the location's history.

D. Malware detection: This is not a standard anomaly detection policy name. The related policy, "Activity from suspicious IP addresses," detects sign-ins from IPs known to be malicious (e.g., botnets), not new locations.

1. Microsoft Learn. (2023). Anomaly detection policies in Microsoft Defender for Cloud Apps. "Activity from infrequent country" section. This document states

"This detection identifies when an activity is performed from a country/region that was not recently or never visited by any user in the organization."

2. Microsoft Learn. (2023). Anomaly detection policies in Microsoft Defender for Cloud Apps. "Impossible travel" section. This document states

"This detection identifies two user activities... originating from geographically distant locations in a time period shorter than the time it would have taken the user to travel..."

3. Microsoft Learn. (2023). Anomaly detection policies in Microsoft Defender for Cloud Apps. "Activity from anonymous IP addresses" section. This document states

"This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address."

To identify Azure resources queried or modified by risky users, a KQL query must correlate user risk data with resource activity logs. The SigninLogs table from Microsoft Entra ID contains user sign-in details, including risk levels detected by Identity Protection (e.g., RiskLevelAggregated). The AzureActivity table contains the Azure Activity Log, which records management-plane operations on Azure resources. To link a risky user to an action, the query must join the UserPrincipalName from the SigninLogs table with the Caller field from the AzureActivity table, as the Caller field identifies the user who performed the operation.

1. Microsoft. (2023). Microsoft Sentinel data connectors. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference.

Details: This document lists SigninLogs as the table for "Microsoft Entra sign-in logs" and AzureActivity as the table for "Azure Activity" logs

confirming the correct tables for the required data sources.

2. Microsoft. (2023). Azure Monitor Logs table reference / SigninLogs. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs.

Details: The schema documentation confirms that SigninLogs contains the UserPrincipalName and RiskLevelAggregated columns

which are essential for identifying risky users.

3. Microsoft. (2023). Azure Monitor Logs table reference / AzureActivity. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity.

Details: The schema documentation confirms that the AzureActivity table contains the Caller column

which "identifies the user or client that initiated the event." This is the correct field for joining with the user identity from SigninLogs.

4. Microsoft. (2024). join operator. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/join-operator.

Details: This official documentation explains how to use the join operator to merge rows of two tables to form a new table by matching values of the specified columns

which is the core operation required by the query.

Microsoft Sentinel workbooks are the designated feature for creating interactive visual reports and dashboards. They provide a flexible canvas to query data from various sources, including sign-in logs, and visualize that information using charts, graphs, and tables. This allows security analysts to monitor trends and create custom reports, directly addressing the requirement to visualize sign-in information over time.

B. a hunting query: This is used for proactively searching for security threats and anomalies, not for creating persistent, visual reports or dashboards.

C. a notebook: Notebooks are for advanced threat hunting, machine learning, and complex data analysis, which is more powerful than required for a standard visual report.

D. a playbook: This is an automated workflow (built on Azure Logic Apps) used to respond to security alerts and incidents, not for data visualization.

1. Microsoft Learn

"Visualize and monitor your data with workbooks in Microsoft Sentinel": In the "Introduction" section

it states

"Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal... They allow you to tap into the full power of other Azure services as well

such as Azure Monitor." This directly supports the use of workbooks for visualization.

2. Microsoft Learn

"Threat hunting in Microsoft Sentinel": The "Introduction" section clarifies the purpose of hunting: "Threat hunting is a proactive search for cyber threats that are lurking undetected in a network... In Microsoft Sentinel

hunting queries are built on top of Kusto Query Language (KQL)." This distinguishes hunting from reporting.

3. Microsoft Learn

"Automate threat response with playbooks in Microsoft Sentinel": The "Introduction" section defines playbooks: "A playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert or incident... Playbooks are based on workflows built in Azure Logic Apps." This confirms their role in automation

not visualization.

4. Microsoft Learn

"Jupyter notebooks with Microsoft Sentinel hunting capabilities": The "When to use notebooks" section states

"Notebooks are best suited for more advanced users who need more control and flexibility in their threat hunting and investigation." This positions notebooks as a tool for advanced analysis rather than standard reporting.

<img src="https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/SC-200/page_85_img_1.jpg">Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-queryemails-devices?view=o365-worldwide

https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-gcp

Step 1: From the Investigation blade, select Insights The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities. Step 2: From the Investigation blade, select the entity that represents VM1. The Investigation Insights workbook is broken up into 2 main sections, Incident Insights and Entity Insights. Incident Insights The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information. Entity Insights The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity. This workbook presently provides view of the following entity types: IP Address Account Host URL Step 3: From the details pane of the incident, select Investigate. Choose a single incident and click View full details or Investigate.

https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases

Questio n Part 1: Which types of files can you use for the custom lure? Answer: EXE, XLSX, and PDF According to your screenshot (File types drop-down), you can use the following file types for a custom lure in Microsoft Defender XDR deception rules: EXE XLSX PDF You can select any combination of these, so EXE, XLSX, and PDF are all supported as custom lure file types. Questio n Part 2: In which home directory should the file be located on a device? Answer: The Active Directory user When you set the Planting path to HOME in a deception rule, the file should be planted in the home directory of a user. According to the available drop-down options and Microsoft documentation, the typical recommended choice for corporate environments (and specifically for most deception scenarios) is "The Active Directory user". This ensures the lure is placed where the intended target (a domain user) is likely to encounter it.

The security bulletin identifies a specific image file as the attack vector. In Microsoft Defender for Endpoint, the most direct and precise method to identify and block a specific file is by using its unique hash (e.g., SHA-256, SHA-1, or MD5). Creating a file hash indicator of compromise (IoC) and setting the action to "Alert and block" instructs Defender for Endpoint to prevent the file from being read, written, or executed on any managed device. This action directly fulfills the requirement to prevent the attack.

A. A URL/domain indicator targets network addresses, not files. Additionally, the "Alert only" action would not prevent the attack; it would only generate a notification.

B. A URL/domain indicator is inappropriate because the threat is a specific file, not a website or network location.

D. A certificate indicator blocks all files signed with a specific certificate. This is less precise than a file hash and could cause unintended consequences by blocking legitimate files signed with the same certificate.

1. Microsoft Learn. (2023). Create indicators. Microsoft Defender for Endpoint.

Section: "File indicators"

Content: "You can create an indicator for a file hash. ... When you create an indicator for a file

you can choose from the following actions: Allow

Audit

Warn

Block and remediate

and Alert and block." The "Alert and block" action is described as preventing the file from being read

written

and executed. This directly supports using a file hash to block a malicious file.

2. Microsoft Learn. (2023). Create indicators. Microsoft Defender for Endpoint.

Section: "URL and domain indicators"

Content: "URL/domain indicators prevent users from accessing the URL/domain through the web browser." This confirms that URL/domain indicators are for network locations

not local files.

3. Microsoft Learn. (2023). Create indicators. Microsoft Defender for Endpoint.

Section: "Certificate indicators"

Content: "You can create indicators for certificates that will block files that are signed with the blocked certificate from being run in your organization." This shows that certificate indicators are for blocking based on the signer

which is a broader and less specific method than blocking a single file by its hash.