nerdexam
ExamsAZ-500Questions#235
MicrosoftMicrosoft

AZ-500 · Question #235

AZ-500 Question #235: Real Exam Question with Answer & Explanation

The correct sequence begins with running a Log Analytics query from the Azure Sentinel workspace (not Azure Monitor) to search for traffic from the suspicious IP address. After identifying the relevant event in the query results, you select that specific query result to target th

Submitted by valeria.br· Mar 6, 2026Mitigate threats using Microsoft Sentinel - Configure and use threat hunting capabilities including bookmarks and the investigation graph

Question

Drag and Drop Question You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) data connector. You are threat hunting suspicious traffic from a specific IP address. You need to annotate an intermediate event stored in the workspace and be able to reference the IP address when navigating through the investigation graph. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Answer:

Explanation

The correct sequence begins with running a Log Analytics query from the Azure Sentinel workspace (not Azure Monitor) to search for traffic from the suspicious IP address. After identifying the relevant event in the query results, you select that specific query result to target the intermediate event. Finally, you add a bookmark and map an entity - the 'map an entity' step is critical because it allows the IP address to be recognized as an entity (IP type) that can be referenced and navigated within the Azure Sentinel investigation graph, enabling visual threat hunting traversal.

Topics

#Azure Sentinel#Threat Hunting#Bookmarks#Entity Mapping#Investigation Graph

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-500 PracticeBrowse All AZ-500 Questions