🗼 Microsoft Sentinel - AZ-500 Practice Questions

Implement cloud-native SIEM with data connectors, analytic rules, workbooks, and automated response.

11Questions Available
1Exam Domains

Practice Sentinel Questions Now

Start a timed practice session focusing on Microsoft Sentinel topics from the AZ-500 question bank.

Start AZ-500 Practice Quiz →

AZ-500 Sentinel Question Bank (11 Questions)

Browse all 11 practice questions covering Microsoft Sentinel for the AZ-500 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Sentinel Analytics rule fires an alert. An automated Playbook (Logic App) then creates a ticket in ServiceNow. What Sentinel feature triggers the Logic App?

    AAnalytics rule action
    BAutomation rule
    CData connector
    DWorkbook

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  2. Question 2Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Sentinel playbook is triggered when a phishing email alert fires. The playbook must delete the email from all mailboxes in the organization. Which connector in Logic Apps provides this action?

    AMicrosoft Teams connector
    BOffice 365 Outlook connector with 'Delete email' action
    CMicrosoft Entra ID connector
    DMicrosoft Defender for Office 365 connector (or Microsoft 365 Defender)

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  3. Question 3Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Which Microsoft Sentinel content type provides out-of-the-box analytics rules, hunting queries, workbooks, and playbooks packaged together for a specific data source?

    AData connector
    BAnalytic rule template
    CSolutions from the Content Hub
    DWatchlist template

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  4. Question 4Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Microsoft Sentinel alert fires for anomalous Azure resource deletion. The playbook must capture VM snapshots before potential destruction. Which Logic App action should be first in the playbook?

    ASend an email to the security team
    BParse the alert entities to identify the affected VMs
    CBlock the user account in Azure AD
    DCreate an incident in the ITSM system

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  5. Question 5Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A security analyst wants to ingest firewall logs from an on-premises Palo Alto firewall into Microsoft Sentinel. Which data connector type typically handles vendor-specific security appliance logs?

    AAzure Activity data connector
    BCommon Event Format (CEF) over Syslog
    CAzure Monitor diagnostic settings
    DMicrosoft Defender XDR connector

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  6. Question 6Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Sentinel playbook must automatically block a user account in Azure AD when a high-severity incident is created. Which Azure service provides the automation logic?

    AAzure Automation runbook
    BAzure Logic App
    CAzure Functions with Sentinel SDK
    DMicrosoft Power Automate

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  7. Question 7Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Sentinel data connector for Azure Activity logs is enabled. Which Azure activities are captured?

    AGuest OS events from Azure VMs
    BSubscription-level events: resource creation, deletion, policy compliance, role assignment changes
    CAzure SQL query activity logs
    DAzure AD user sign-in events

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  8. Question 8Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Sentinel must alert when a user account is added to the Azure AD Global Administrator role. Which data connector provides the event that triggers this rule?

    AAzure Activity connector
    BMicrosoft Entra ID (Azure AD) connector with Audit Logs
    CMicrosoft Defender for Identity connector
    DSecurity Events connector

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  9. Question 9Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Sentinel automation rule is set to run a playbook when an incident severity is 'High' and entity type is 'Account'. What is a limitation of automation rules compared to analytics rule alert actions?

    AAutomation rules can only close incidents, not trigger playbooks
    BAutomation rules can trigger playbooks only on incident creation, not alert creation
    CAutomation rules cannot filter by entity type
    DAutomation rules require premium Sentinel license

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  10. Question 10Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    A Sentinel analytics rule uses the SecurityEvent table. The rule must alert when a user performs more than 10 failed logins (EventID 4625) in 5 minutes from the same IP. Which KQL element implements the count threshold?

    Awhere EventID == 4625 | limit 10
    Bsummarize count() by SourceIP, bin(TimeGenerated, 5m) | where count_ > 10
    Cextend FailCount = 10 | where FailCount > 0
    Dproject SourceIP, TimeGenerated | top 10

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz
  11. Question 11Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

    Which Azure service is a cloud-native SIEM and SOAR solution that collects security data across the enterprise for threat detection and automated response?

    AMicrosoft Defender for Cloud
    BMicrosoft Sentinel
    CAzure Monitor Logs
    DMicrosoft Defender for Endpoint

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-500 Quiz

Key Sentinel Concepts for AZ-500

sentinelsiemsoardata connectoranalytic ruleworkbookplaybooklogic appkql

AZ-500 Sentinel Exam Tips

Microsoft Sentinel questions in AZ-500 are typically scenario-based. Focus on identity protection, platform hardening, data security, and security operations. Priority concepts: sentinel, siem, soar, data connector, analytic rule, workbook.

What AZ-500 Expects

  • Anchor your answer in choose controls that reduce exposure while preserving least-privilege access.
  • Sentinel scenarios for AZ-500 are frequently mapped to Domain 4 (25-30%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Sentinel interacts with identity, networking, governance, or monitoring patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Sentinel Concepts

  • Know the core Sentinel building blocks cold: sentinel, siem, soar, data connector.
  • Review the edge-case features and limits for analytic rule, workbook; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Sentinel pairs with Security Operations, Defender in real deployment patterns.
  • For AZ-500, explain why the chosen Sentinel design meets reliability, security, and cost expectations better than the alternatives.

Common AZ-500 Traps

  • Watch for identity controls that are too broad for the requested scope.
  • Questions in Manage Security Operations often include distractors that look correct for Sentinel but violate least-privilege, compliance, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Sentinel implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Manage Security Operations (25-30%) outcomes for AZ-500?
  • Can you explain security and access boundaries for Sentinel without relying on default-open assumptions?
  • Can you describe how Sentinel integrates with Security Operations and Defender during failure, scaling, and monitoring events?

Exam Domains Covering Sentinel

Domain 4Manage Security Operations25-30%

Related Resources

🎯 Free AZ-500 Mock Exam Security Operations Questions Defender Questions

More AZ-500 Study Resources

← AZ-500 Study Hub30-Day Study PlanFull Practice Exam