In Microsoft Defender XDR, deception rules (part of the Defender for Endpoint Deception capability) allow security teams to deploy decoys and honeytokens to lure attackers. When configuring deception rules, scope management is essential to control which devices the rule applies to.
According to Microsoft's Defender XDR documentation:
"Deception rules can be targeted to specific devices or sets of devices by assigning them to device groups.
Device groups allow you to manage and scope rules, configurations, and alerts efficiently." Therefore, before creating a deception rule that must apply only to a specific subset of devices, you first create device groups - then assign the deception rule to those groups.

In Microsoft Defender for Endpoint, before administrators can allow or block user-specified IPs or URLs, the feature "Custom network indicators" must be enabled under Advanced Features in the Microsoft 365 Defender portal.
This capability allows defining Indicators of Compromise (IoCs) at the network level to enforce allow/block decisions for specific domains, URLs, or IP ranges. Once enabled, Defender for Endpoint agents enforce these network indicators across managed endpoints.
Other features like EDR in block mode or Web content filtering provide automatic blocking, not manual IP
/URL control.
# Correct answer: B. custom network indicators

Custom deception rules in Defender XDR/Defender for Endpoint can be targeted by scope (e.g., device tags
/device groups). To apply a rule only to a specific subset (10 out of 500), first tag those devices, then target the rule to that tag (or a device group that uses that tag).

When querying the Microsoft 365 Unified Audit Log (via Graph API or PowerShell), results are paginated for performance. The property @odata.nextLink provides the URL for the next page of results. You must keep querying this link until it no longer appears to retrieve all entries.
* @odata.deltaLink is used for incremental changes (next query after initial).
* @odata.context describes the response metadata.
* @odata.count indicates record count only.Thus, to retrieve all paged results, use @odata.nextLink.
# answer: A. @odata.nextLink

Explanation:
To integrate on-premises servers into Microsoft Defender for Cloud and support features such as Threat and Vulnerability Management (TVM) and data collection rules, the servers must first be connected to Azure Arc. Azure Arc allows non-Azure servers to be managed as Azure resources and enables Defender for Cloud capabilities such as endpoint protection, vulnerability management, and compliance assessment.
The correct sequence of steps is:
1## Generate the installation script:
In the Azure portal, navigate to Azure Arc # Servers # Add. From there, select the appropriate subscription and resource group, then generate the Azure Arc onboarding script. This script includes registration commands and configuration for the machine to connect to Azure.
2## Install the Azure Connected Machine agent:
On each on-premises server, run the generated script. This installs the Azure Connected Machine agent (Azure Arc agent), which establishes communication between the on-premises server and Azure. After installation, the server appears as an Arc-enabled machine in the Azure portal.
3## Create an Azure Arc Data Controller (if data services are required):
Once the machines are connected, you can configure data services or additional Defender for Cloud features (such as data collection and TVM). The Azure Arc Data Controller provides hybrid data capabilities for managing and monitoring on-premises workloads.
This sequence aligns with Microsoft's Defender for Cloud documentation and Arc onboarding best practices, ensuring minimal administrative overhead while enabling full SecOps visibility across hybrid environments.