SC-200 Microsoft Security Operations Analyst Questions and Answers

In Microsoft Sentinel, entity mapping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph, incidents, and hunting experiences. The Sentinel requirements in the case study specify:

“Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, hostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentinel documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.

To find all security principals (users or service principals/apps) that changed or deleted groups, you should query MicrosoftGraphActivityLogs and filter for requests targeting the groups endpoint, then exclude read-only operations. The RequestUri field contains the full Graph URL that the principal called (e.g., /v1.0/groups/{id}), so filtering where RequestUri contains "/group" (or "/groups") isolates group-related operations. Changes and deletions are non-read HTTP verbs such as POST, PATCH, PUT, and DELETE. The simplest way to capture all of them is to exclude reads: where RequestMethod != "GET". Finally, projecting AppId, UserId, and ServicePrincipalId returns the identities (user or app) behind each request, which are the “security principals” you need to report.

So the completed KQL is:

MicrosoftGraphActivityLogs

| where RequestUri contains "/group"

| where RequestMethod != "GET"

| project AppId, UserId, ServicePrincipalId

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cloud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features, turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection prerequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → Cloud Discovery, configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps. In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned. Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., impossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” are C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security.

In Microsoft Defender for Cloud’s role-based access model, specific Azure built-in roles define what users can view and configure:

Security Reader: View-only access to Defender for Cloud recommendations and alerts.

Security Operator: Can view and dismiss alerts but cannot modify security policies.

Security Admin: Can view everything a reader can and additionally edit security policies, manage recommendations, and configure settings across Defender for Cloud.

Owner/Contributor: Have broader Azure resource management rights, exceeding what’s required to manage Defender for Cloud policies—violating the principle of least privilege.

The principle of least privilege dictates assigning the narrowest role that allows performing the required tasks. In this case, the Security Admin role is explicitly documented by Microsoft as granting permission to modify security policies and settings in Defender for Cloud, without granting full subscription ownership rights.

Therefore, to allow User1 to modify Defender for Cloud security policies while maintaining least privilege:

✅ Assign the Security Admin role.

When you deploy the ASIM unifying parser for DNS, you should query the normalized schema via the function imDns() (ASIM convention: im). To maximize performance, pass filtering arguments directly to the parser so the function prunes data early at source, rather than piping a large dataset into subsequent where filters. ASIM DNS supports parameters such as starttime, endtime, and responsecodename (for example, NXDOMAIN). Therefore, using imDns(starttime=ago(1d), responsecodename='NXDOMAIN') limits ingestion to the last 24 hours and only events whose ResponseCodeName equals NXDOMAIN.

Once normalized rows are returned, use summarize with bin() to aggregate efficiently. The ASIM DNS schema exposes the client address as SrcIpAddr; grouping by this field and bin(TimeGenerated, 15m) produces per–source-IP counts in 15-minute buckets. The final query:

imDns(starttime=ago(1d), responsecodename='NXDOMAIN')

| summarize count() by SrcIpAddr, bin(TimeGenerated, 15m)

meets all requirements: it lists all DNS events with NXDOMAIN in the last 24 hours and aggregates them by source IP in 15-minute intervals, using ASIM’s parameterized parser to achieve optimal performance.

Microsoft Defender for Identity (MDI) detects sensitive group modifications—such as changes to Domain Admins, Enterprise Admins, or Schema Admins—by analyzing Windows security events from domain controllers. For MDI sensors to detect such changes, advanced audit policies must be configured to log these activities (specifically Directory Service Changes and Account Management events).

Microsoft documentation specifies that “Defender for Identity requires auditing to be enabled on domain controllers for security events like group membership changes.” This is done under Advanced Audit Policy Configuration → Directory Service Changes.

Additionally, Windows Event Forwarding (WEF) is required or beneficial when Azure Sentinel needs to centralize those events from multiple domain controllers into a Log Analytics workspace. WEF minimizes administrative effort by automatically collecting logs without manual export or per-server log pulling.

Thus, configuring Advanced Audit Policy ensures the right events are generated, and Windows Event Forwarding ensures those events reach Sentinel for correlation with MDI alerts.

✅ Correct Answers: A and D

Activity from a country/region that could indicate malicious activity. This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organization. Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This can indicate a credential breach, however, it's also possible that the user's actual location is masked, for example, by using a VPN.

You can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.

Note: To create a rule directly in the Azure portal:

1. From Defender for Cloud's security alerts page:

Select the specific alert you don't want to see anymore, and from the details pane, select Take action.

Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:

2. In the new suppression rule pane, enter the details of your new rule.

Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.

Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or location.

3. Enter details of the rule.

4. Save the rule.

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall settings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise is suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration changes at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats, Microsoft recommends hardening Key Vault firewall and networking: restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blocks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

In Microsoft Defender XDR (and Microsoft Sentinel), the table that stores information about incidents—including their status, severity, classification, associated alerts, and related tasks—is the SecurityIncident table. This table is part of the advanced hunting schema and Microsoft Sentinel workspace schema when Microsoft Defender XDR incidents are synchronized to Log Analytics.

Microsoft’s documentation for the SecurityIncident table describes it as:

“Contains information about incidents generated in Microsoft Sentinel or Microsoft 365 Defender, including incident title, ID, description, severity, provider, owner, and related entities. It can be used to track and analyze incidents and their associated alerts or tasks.”

When you need to display incidents in a workbook and also visualize incident tasks or actions performed under each one, you must query the SecurityIncident table. From there, you can join or expand incident details such as tasks or alert relationships for deeper investigation.

Other options are not suitable for this requirement:

SecurityEvent – contains raw Windows event log data (e.g., logon events, process creation) and is unrelated to incident-level information.

SentinelAudit – contains audit trail records of changes and administrative actions within Sentinel (e.g., who modified analytics rules), not incidents or tasks.

SecurityAlert – contains individual alerts that may belong to incidents, but it doesn’t include incident tasks or groupings by incident.

Therefore, to query incident information and related tasks in a workbook, the correct target table is SecurityIncident.

To view incidents across multiple Sentinel workspaces (50 in this case), the central view is provided from the Microsoft Sentinel page in the Azure portal.

This page provides a multi-workspace incident view, allowing SOC analysts to see all incidents across all connected workspaces without switching manually.

Microsoft Sentinel – Incidents → shows incidents from a single workspace only.

Microsoft Sentinel – Workbooks → used for analytics visualization.

Log Analytics workspaces → only for log storage and queries, not consolidated incident management.

✅ Correct Answer: C. Microsoft Sentinel

To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create an analytic rule in the Microsoft Sentinel workspace. An analytic rule allows you to customize the behavior of the unified ASIM parser and exclude specific source-specific parsers from being used. Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-analytic-rule

n Microsoft Purview Compliance Portal, to locate specific email messages or files across user mailboxes and SharePoint/OneDrive content, you use Content Search (under eDiscovery or Content Search tools).

You can specify conditions such as Subject contains “Project1” and limit the search scope to specific users (those working on Project1).

Records management disposition applies to retention policies.

User data search is not a Purview feature.

Audit search searches for user/admin activities, not message contents.

✅ Answer: D. Perform a content search

When you need to combine multiple tables (AlertInfo, AlertEvidence, and DeviceLogonEvents) and return all rows from all tables, you use the union operator in KQL (Kusto Query Language).

join would only return matching records between tables based on a key, not all rows.

evaluate is used for external function evaluations.

search * searches across all tables but doesn’t create structured combined output.

Using union kind=inner appends results from all three tables while maintaining their structure, allowing you to analyze all alerts, evidence, and logon activity together.

✅ Answer: D. union kind = inner

In Microsoft Sentinel, during incident investigation, you can label certain entities directly from the incident page as Indicators of Compromise (IOCs). According to Microsoft Sentinel’s entity behavior and investigation documentation, entities such as IP addresses, URLs, file hashes, and domains can be directly marked as IOCs because they represent observable threat indicators that can be tracked across the environment.

While entities like User accounts, Hosts, and Malware names are part of incident context, they are not directly taggable as IOCs from the incident page because Sentinel expects IOCs to represent specific, traceable, external threat artifacts (e.g., IPs, domains, or file hashes).

Therefore, from the list provided — Host, IP address, User account, and Malware name — only the IP address entity can be directly labeled as an IOC from within the incident interface in Sentinel.

✅ Answer: D. IP address

A scheduled query rule in Azure Sentinel is the correct method to detect and generate alerts/incidents based on specific data patterns such as sign-ins from malicious IPs. The scheduled rule can run periodically (e.g., every 5 minutes or hour), execute a KQL query filtering for malicious IPs, and create incidents automatically when matches are found. This satisfies the goal of automatically creating incidents for suspicious sign-ins.

Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Query successful

This is a role-based access control (RBAC) question using the principle of least privilege.

The table of users and roles is:

Name

Role

User1

Security administrator

User2

Security reader

User3

Contributor

Export to Sheets

Action: This is a management/configuration task at the subscription level, often related to enabling Defender plans and installing extensions on VMs.

Required Permissions: The ability to modify security policies and settings in Microsoft Defender for Cloud and the permission to install extensions on VMs.

The Security Administrator role is explicitly designed for this, granting permissions to manage the security features, policies, and program enrollment (like enabling Defender plans).

The Contributor role can also perform this by installing the necessary agents and extensions, but it grants broad access to manage all resources, violating the principle of least privilege for a purely security-focused task.

Least Privilege User: User1 (Security administrator)

Action: This task has two parts:

Review security recommendations: This is a read-only action. The Security Reader role is sufficient.

Enable server vulnerability scans: This means configuring a security feature (Vulnerability Assessment), which requires write access to the security configuration or the resource itself.

The Security Reader role cannot perform the "enable" action.

The Security Administrator role has the permissions required to modify security policy and configuration to enable scanning features.

The Contributor role can also do this, but again, the Security Administrator role is the least privileged for a security-specific configuration change.

Least Privilege User: Since the entire task includes an "enable" (write) action, we must use the role that can perform both read and write security actions. User1 (Security administrator) is the appropriate choice.

Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Custom deception rules in Defender XDR/Defender for Endpoint can be targeted by scope (e.g., device tags/device groups). To apply a rule only to a specific subset (10 out of 500), first tag those devices, then target the rule to that tag (or a device group that uses that tag).

Microsoft Sentinel uses the Advanced Security Information Model (ASIM) to normalize logs into a consistent schema, enabling unified queries, analytics rules, and hunting queries across multiple data sources.

Each ASIM function has a structured parser hierarchy, typically consisting of:

A master (or orchestrator) parser, which aggregates and calls all source-specific parsers.

Source-specific parsers, which map raw data from each data source (like Windows SecurityEvents, Sysmon, or custom logs) to the ASIM schema fields.

In the case of ProcessCreate events:

_Im_ProcessCreate is the master parser. Its role is to call all ProcessCreate parsers, including both built-in and custom ones (for example, imProcessCreate, vimProcessCreate, or other vendor-specific parsers).

Parsers like imProcessCreate (for native sources) and vimProcessCreate (for custom or vendor-specific sources) are source-specific parsers. They are responsible for standardizing and mapping raw fields into the ASIM Process schema, ensuring consistent naming such as ActorProcessName, TargetProcessName, and TargetProcessCommandLine.

“The _Im_ functions are orchestrators that call all source-specific parsers. Each im or vim parser converts native data into the ASIM schema for its respective source.”

Therefore:

To call all ProcessCreate parsers, modify _Im_ProcessCreate.

To standardize fields to the Process schema, modify vimProcessCreate (the new source-specific parser you created).

✅ Final Answers:

Call all the ProcessCreate parsers: _Im_ProcessCreate

Standardize fields to the Process schema: vimProcessCreate

A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference: https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview

To run a PowerShell script when a suspicious-IP access alert is raised for Storage, use Workflow automation in Defender for Cloud to trigger a Logic App whenever a matching security alert occurs. The Logic App should use the Azure Security Center (Defender for Cloud) alert trigger, and from there you can call an Automation Runbook (PowerShell) or another action to execute your script. A manual or HTTP trigger isn’t needed because the flow must start automatically from the security alert, and an AAD app registration is not required for the basic alert-triggered flow.

In Microsoft Sentinel, when using the Windows Security Events via AMA (Azure Monitor Agent) connector, you can configure an XPath filter expression to control which Windows security events are collected from a connected virtual machine.

Microsoft’s documentation specifies that event filtering is based on the EventLog XML schema, and filtering by Keywords allows you to target specific audit categories. In Windows Security logs, events are categorized as follows by their Keywords bitmask:

0x8020000000000000 → Audit Success events

0x8010000000000000 → Audit Failure events

Since the requirement is to collect only audit failure events, the XPath filter must include only the System node (which contains the event header metadata) and filter by the Keywords attribute equal to 0x8010000000000000.

The correct XPath syntax for the filter in this case is:

Security!*[System[Keywords='0x8010000000000000']]

Explanation of components:

Security!* — Targets the Windows Security event log.

System[...] — Refers to the event’s header metadata section (where Keywords, EventID, and Level are stored).

Keywords='0x8010000000000000' — Matches only events that have the Audit Failure bit set.

Therefore, only events with Audit Failure outcomes will be collected from VM1, satisfying the requirement to minimize event ingestion and reduce unnecessary log noise.

✅ Final Answer: Security!*[System[Keywords='0x8010000000000000']]

Enabling User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel requires specific permissions in both Microsoft Entra ID (Azure AD) and the Azure Sentinel workspace. The goal is to grant the least privilege necessary for the user (User1) to enable UEBA and manage entity behavior analytics.

Microsoft’s documentation for UEBA setup specifies that to enable UEBA for an Entra tenant, the user must have access to identity-related signals and security settings within the Microsoft Entra environment. Specifically:

“To enable UEBA and connect Microsoft Entra ID data, the user must be assigned the Security Administrator role in Microsoft Entra ID. This role allows management of security-related features without granting full directory or global admin privileges.”

The Security Administrator role provides just enough access to security configurations, alerts, and risk data, aligning with the principle of least privilege.

Other roles:

Global Administrator is overly privileged.

Security Operator can only view alerts, not configure settings.

Identity Governance Administrator focuses on access reviews and entitlement management, not UEBA setup.

Hence, the correct Entra role is Security Administrator.

For the Azure side, Microsoft’s official Sentinel RBAC guidance states:

“To enable or configure UEBA in a Sentinel workspace, the user must have the Microsoft Sentinel Contributor role. This role allows enabling and configuring UEBA, managing analytics, and viewing data within Sentinel.”

The Sentinel Contributor role grants permissions to configure data connectors, UEBA settings, and entity analytics features but not workspace-wide administrative rights.

Other options:

Microsoft Sentinel Automation Contributor is limited to playbook and automation configurations.

Security Admin and Security Assessment Contributor roles apply to Microsoft Defender for Cloud and general Azure security posture, not UEBA configuration.

✅ Final Correct Roles:

Microsoft Entra role: Security Administrator

Azure role: Microsoft Sentinel Contributor

When onboarding Google Cloud Platform (GCP) to Microsoft Defender for Cloud using the native cloud connector, the integration process is performed within GCP to allow Defender for Cloud to continuously monitor all existing and future GCP projects under the organization.

According to Microsoft Defender for Cloud’s official onboarding documentation for GCP, the connector setup requires the creation of a management project in GCP. This project acts as a central control point for all future onboarding operations. In that project, you create a custom IAM role that defines the minimum required permissions for Defender for Cloud to access security posture, asset inventory, and threat detection data from GCP resources.

This ensures least-privilege access and allows automatic onboarding of all new GCP projects under the same organization (GCP1).

Microsoft provides a deployment script that you execute from the GCP Cloud Shell. Running the script there automates:

Creation of the management project

Assignment of the custom role

Configuration of the service account and necessary API permissions

Establishment of the continuous connector between GCP and Defender for Cloud

Running it in Azure Cloud Shell would not have the required GCP SDK environment or permissions to modify GCP IAM and projects, hence GCP Cloud Shell is required.

✅ Final Answers:

Create: A management project and a custom role

By: Running a script in GCP Cloud Shell

When you initiate the Collect Investigation Package action on a device in Microsoft Defender for Endpoint, the package includes many forensic artifacts that help you trace file usage, process execution, and system behavior. Among those artifacts are prefetch files. Prefetch files record metadata about which executables were run and when, and can provide first/last execution timestamps. Whizlabs+2InfoSec Write-ups+2

Specifically, Microsoft documents (e.g. Respond-machine alerts) describe that the investigation package contains folders such as Autoruns, Processes, Scheduled tasks, Security event log, Users and Groups, Prefetch files, among others. InfoSec Write-ups+2Whizlabs+2 Among those, the Prefetch files are the best source to determine the first and last run time of a given executable (like File1.exe). Other artifacts (process history, event logs) might also show execution events, but prefetch is the artifact designed for showing executable run metadata and is most commonly used for that purpose in forensic investigations. InfoSec Write-ups+2ExamTopics+2

Because the question specifically asks “first and last time File1.exe was executed,” reviewing Prefetch files in the investigation package is the correct approach.

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns, and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modify the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activity from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel.

Microsoft Sentinel playbooks can be triggered by different types of events—alerts, incidents, or entities. Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an incident trigger.

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger. This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto-closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

In Microsoft Sentinel, Hunting queries are used to proactively search for threats and anomalies across collected security data. The requirement states that HuntingQuery1 must run automatically when the Hunting page of Microsoft Sentinel is accessed. According to Microsoft’s official Sentinel documentation, this behavior is achieved by adding the hunting query to “Favorites.”

When a query is marked as a favorite in the Sentinel Hunting blade, Sentinel automatically runs it every time the Hunting page is opened. This provides updated results without the need for manual execution, ensuring analysts always see the most current data for that query. This configuration also adheres to the organization’s requirement to minimize administrative effort, since it eliminates the need for scheduling, automation, or manual refresh actions.

Other options do not meet this functional requirement:

A. Add to a livestream is used to monitor near-real-time data streams, not to auto-run queries upon accessing the Hunting page.

B. Create a watchlist is used for referencing static external data sets (like IPs, users, or devices) inside KQL queries, not for automating hunting query execution.

C. Create an automation rule applies to incident management workflows, not hunting query execution.

Therefore, as per Microsoft Sentinel’s hunting documentation and best practices, the correct and verified answer is:

D. Add HuntingQuery1 to favorites.

In Microsoft Sentinel, playbooks are Azure Logic Apps that automate responses to alerts or incidents. To use an existing Logic App as a playbook in Sentinel, it must start with the “Microsoft Sentinel alert” trigger. This trigger allows Sentinel to call and pass alert details to the Logic App automatically.

When an existing Logic App has a manual trigger, it cannot be invoked directly by Sentinel. Therefore, the first step is to modify the trigger to replace the manual trigger with the “When a response to an Azure Sentinel alert is triggered” trigger. After that, you can link it within Sentinel incidents or automation rules.

This process is detailed in Microsoft Defender XDR and Sentinel documentation under “Connect a Logic App to Sentinel as a playbook.”

Hence, the correct answer is D. Modify the trigger in the logic app.

In Microsoft Sentinel, Microsoft incident creation rules are used to automatically create incidents from alerts generated by connected Microsoft security products (like Microsoft Defender XDR, Defender for Endpoint, or Defender for Cloud Apps). However, these rules do not detect malicious IP activity on their own. They simply define how and when alerts from Microsoft security connectors should be grouped or converted into incidents.

To meet the goal — “create an incident when a sign-in to an Azure virtual machine from a malicious IP address is detected” — you must use an analytics rule (scheduled query) or a Fusion rule that actively correlates sign-in logs with threat intelligence data (malicious IPs). Analytics rules in Sentinel run KQL queries that can match sign-in activity (from Azure Activity or SigninLogs) with known malicious IP lists, and they can automatically generate incidents when matches occur.

Therefore, creating a Microsoft incident creation rule for a data connector does not meet the requirement, since it cannot detect or correlate malicious sign-in activity itself.

Hence, the correct answer is B. No.

In Microsoft Sentinel, data connectors are the mechanisms that collect logs and telemetry from various Azure and non-Azure sources into a Log Analytics workspace.

When your goal is to automatically connect multiple Azure subscriptions (both existing and new resources) to Sentinel, the correct approach is to use Azure Policy with connectors that rely on diagnostic settings.

Many Azure resources (e.g., Key Vaults, Storage Accounts, Azure Firewall, and Activity Logs) send logs to Sentinel via diagnostic settings. This connector type allows logs to be exported directly to the Sentinel workspace without requiring agents or manual configuration.

By using Azure Policy, you can automatically enforce and deploy these diagnostic settings across all current and future resources — ensuring continuous log ingestion with minimal administrative overhead.

When applying the Azure Policy, existing resources might not yet have diagnostic settings configured. To fix this, you create a remediation task. This instructs Azure Policy to apply the compliance settings to existing resources, not just new ones. Without a remediation task, only newly created resources would comply automatically.

Connector type: Diagnostic settings → used for policy-based deployment across subscriptions.

Use: A remediation task → ensures policy applies to both existing and new resources for full coverage.

✅ Final Answer:

Connector type: Diagnostic settings

Use: A remediation task

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps.

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically distant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives, since it may misinterpret legitimate connections as anomalous.

Microsoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s office IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

✅ Final Answer for Question 3: D. Impossible travel

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning. Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags. The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions. Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort: it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

In Microsoft Sentinel’s Advanced Security Information Model (ASIM), DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser. To minimize overhead, ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recommended pattern is:

Im_Dns(pack="InfobloxNIOS")

| where DnsResponseCodeName == "NXDOMAIN"

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXDOMAIN responses for counting DNS request failures from Infoblox1.

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatchlist('<watchlist-name>'), which returns a table with standard columns (including SearchKey) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist('breakglass_account')) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requirement to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimizing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist, and join UserPrincipalName to the watchlist’s SearchKey.

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configuration.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combined.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

✅ Answer for Question 10: C. event grouping

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace. Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-minimization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for comprehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increases data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities, the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

✅ Log Analytics workspace to use: LA1

✅ Windows security events to collect: Common

 To the AD DS domain controllers, deploy: Microsoft Defender for Identity sensors

 For Sentinel1, configure: The Security Events data source

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel using data from on-premises Active Directory Domain Services (AD DS), you must collect detailed identity and authentication events. This requires integration with Microsoft Defender for Identity (MDI) — the native tool designed to monitor domain controller traffic and send identity telemetry to Microsoft Sentinel.

According to Microsoft documentation:

“To collect signals from your on-premises Active Directory domain controllers, install Microsoft Defender for Identity sensors directly on each domain controller or on a dedicated server.”

These sensors capture Windows event logs and network authentication data (Kerberos, NTLM, LDAP) and send the information securely to Defender for Identity cloud service.

The Azure Connected Machine agent and Azure Monitor agent do not provide the specialized identity telemetry required by UEBA. Therefore, the correct deployment is the Microsoft Defender for Identity sensors.

After integrating Defender for Identity, you must connect the right data source in Microsoft Sentinel.

The Security Events data source ingests domain controller event logs (such as sign-ins, account management, and group membership changes) that UEBA relies on for behavioral baselines and anomaly detection.

Microsoft Sentinel UEBA documentation confirms:

“UEBA uses data from identity-related data sources, such as SecurityEvents and Azure Active Directory sign-ins, to build user and entity profiles and detect anomalies.”

The Audit Logs and Signin Logs tables are specific to Azure AD and cloud identity events — not on-premises AD DS domain controllers.

✅ Final Configuration:

Deploy Microsoft Defender for Identity sensors to the domain controllers.

Configure The Security Events data source for Sentinel1.

 Log Analytics workspace to use: LA1

 Windows security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace, you should select the existing workspace LA1. Defender for Cloud best practices recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the level of Windows Security Events collected: Minimal, Common, or All Events. The business requirement calls for logs that provide a full audit trail of user activities. In Microsoft guidance, All Events is the level intended for comprehensive auditing (including logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose All Events.

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

To restrict cloud apps running on CLIENT1 (a Windows 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery. This integration enables the blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation, Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shadow IT. The relevant steps include:

1️⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integration

Network protection (in block mode)

Custom network indicators (if applicable)These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️⃣ Configure Cloud Discovery settings in Microsoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an app is marked as unsanctioned, Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telemetry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mapped entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes. Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

According to Microsoft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from advanced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Defender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in the portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️⃣ Provide domain administrator credentials to the on-premises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious activities.

4️⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while maintaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel, Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension, Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector. Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard, you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP). This is turned on in the Microsoft Defender Security Center under Settings → Advanced features. When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where labeled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventory to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

Azure Sentinel “playbooks” are Azure Logic Apps. Granting the minimal permissions to configure (create/edit) playbooks requires the Logic App Contributor role on the resource group where the playbooks reside. This satisfies the business requirement to use least privilege and specifically enables admin1 to design, modify, and manage Logic Apps that Sentinel automation rules or analytics rules will invoke. Roles like Automation Operator or Automation Runbook Operator apply to Azure Automation, not Logic Apps, and therefore don’t allow creating or editing Sentinel playbooks. Azure Sentinel Contributor allows managing Sentinel resources (incidents, analytics rules, workbooks) but, by itself, does not grant permissions to author Logic Apps. Assigning Logic App Contributor provides precisely what is needed to configure Sentinel playbooks without unnecessary broader permissions.

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks, which are workflows built on Azure Logic Apps. These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control changes—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a playbook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell or Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integrate orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remediate active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation response capabilities.

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS—against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the team to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect malicious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This directly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolved using Microsoft Defender for Endpoint.

To complete the KQL query against the BehaviorAnalytics table, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window. In this pane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type. Selecting a table (e.g., BehaviorAnalytics) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you type your KQL, making it straightforward to complete a clause like | where == true.

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window, consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocomplete to insert the correct column name.

As outlined in Microsoft’s official Defender for Office 365 documentation, this service provides comprehensive protection against threats targeting Microsoft 365 collaboration tools—such as SharePoint Online, OneDrive for Business, and Microsoft Teams. The marketing team uses SharePoint Online for vendor collaboration and has experienced incidents in which vendors uploaded malicious files. Microsoft Defender for Office 365 specifically addresses this scenario through features like Safe Attachments and Safe Links, which automatically scan uploaded or shared files for malware and block access to harmful content.

When a vendor uploads a file to SharePoint Online, Defender for Office 365 inspects the file in real time within a virtual sandbox environment before allowing users to open or share it. If malware is detected, the system quarantines or removes the file and notifies administrators. These detection and remediation capabilities prevent infection propagation, protect sensitive marketing data, and maintain compliance with Contoso’s security posture.

By leveraging Defender for Office 365, Contoso’s marketing team can continue external collaboration safely, ensuring that all uploaded files are scanned and validated before internal access—thereby resolving their specific malware-related issue.

 Table: DeviceFileEvents

 Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents, DeviceProcessEvents, and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents. This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typical timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters to show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcessEvents focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace. To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace('Fabrikam-WS').SecurityEvent, workspace('Contoso-WS').SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrikam needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.