AZ-500
The Insider Threat Hunt
Microsoft Sentinel has fired a Medium-priority incident: "Anomalous Azure resource activity detected." Investigation reveals: a user account (j.morrison@contoso.com) performed 847 Azure API calls in 4 minutes at 2:18am — a 40x deviation from their baseline. The calls included: listing all Key Vault secrets across 6 vaults, exporting 3 VM disk snapshots, and querying all SQL server connection strings. The account has Global Administrator in Entra ID. Sign-in logs show the authentication came from an IP in Singapore — the user is based in London. There has been no travel notification. The account has MFA registered but the sign-in used a Legacy Authentication protocol that bypassed MFA.
STEP 1 OF 5 — FREE PREVIEW
This appears to be an account compromise. What is your FIRST action in Sentinel and in Entra ID within the next 2 minutes, before doing any further investigation? Justify the sequence of your actions.
🔒
Steps 2–5 require purchase
One-time purchase — lifetime access to all 5 AZ-500 labs
Sign in to purchase