SC-200 Microsoft Security Operations Analyst Questions and Answers

 To the AD DS domain cont rollers, deploy: Microsoft Defender for Identity sensors

 For Sentinel1, configure: The Security Events data source

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel using data from on-premises Active Directory Domain Services (AD DS) , you must collect detailed identity and authentication events. This requires integration with Microsoft Defender for Identity (MDI) — the native tool designed to monitor domain controller traffic and send identity telemetry to Microsoft Sentinel.

Step 1: Deploy Microsoft Defender for Identity sensors According to Microsoft documentation:

“To collect signals from your on-premises Active Directory domain controllers, install Microsoft Defender for Identity sensors directly on each domain controller or on a dedicated server.”

These sensors capture Windows event logs and network authentication data (Kerberos, NTLM, LDAP) and send the information securely to Defender for Identity cloud service.

The Azure Connected Machine agent and Azure Monitor agent do not provide the specialized identity telemetry required by UEBA. Therefore, the correct deployment is the Microsoft Defender for Identity sensors .

Step 2: Configure the Security Events data source in Sentinel After integrating Defender for Identity, you must connect the right data source in Microsoft Sentinel .

The Security Events data source ingests domain controller event logs (such as sign-ins, account management, and group membership changes) that UEBA relies on for behavioral baselines and anomaly detection.

Microsoft Sentinel UEBA documentation confirms:

“UEBA uses data from identity-related data sources, such as SecurityEvents and Azure Active Directory sign-ins, to build user and entity profiles and detect anomalies.”

The Audit Logs and Signin Logs tables are specific to Azure AD and cloud identity events — not on-premises AD DS domain controllers.

✅ Final Configuration:

Deploy Microsoft Defender for Identity sensors to the domain controllers.

Configure The Security Events data source for Sentinel1.

According to Microsoft Defender for Cloud documentation, continuous export allows you to stream security alerts and recommendations to other monitoring or SIEM systems. When exporting alerts in real time, Azure Event Hubs is the supported mechanism. Event Hubs provides a scalable data-streaming platform that can feed events into third-party SIEM tools such as Splunk, IBM QRadar, or ArcSight. Microsoft states: “To enable real-time stream ing of security alerts or recommendations, configure Continuous Export to Azure Event Hubs. From there, your external SIEM or event processing solution can consume the data.”

The other options serve different purposes:

Azure Cosmos DB is a NoSQL database, not used for alert streaming.

Azure Event Grid is for reactive event-driven automation but not intended for continuous log export.

Azure Data Lake is for large-scale storage and analytics, not streaming.

Thus, exporting Defender alerts to Azure Event Hubs is the correct and supported configuration for continuous export to third-party SIEM solutions.

 If you hover over the virtual machine named vm1 , you can view the running processes .

 If you select Info , you can navigate to the bookmarks related to the incident.

To allow a user to deploy and customize Microsoft Sentinel workbook templates while maintaining the principle of least privilege, the correct role assignment is Workbook Contributor .

According to Microsoft Sentinel and Azure Monitor documentation, workbooks are stored as Azure resources under the resource group that hosts the Sentinel workspace. Microsoft specifies that:

“Users who need to create, edit, or deploy workbooks require the Workbook Contributor role on the resource group that contains the workbooks. This role grants permissions to create and modify workbooks without allowing broader Sentinel or resource modifications.”

The Workbook Contributor role includes permissions such as Microsoft.Insights/workbooks/read , write , and delete , enabling full workbook editing capabilities. It does not grant access to analytics rules, incidents, or automation features, ensuring adherence to the least privilege principle.

By contrast:

Microsoft Sentinel Contributor allows broader Sentinel configuration (analytics, playbooks, etc.), exceeding what’s required.

Contributor provides full ac cess to manage all Azure resources, violating least privilege.

Microsoft Sentinel Automation Contributor is intended for managing automation rules and playbooks, not workbooks.

Therefore, to enable User1 to deploy and customize Sentinel workbook templates in RG1 while maintaining minimal necessary permissions, assign Workbook Contributor on RG1 .

Microsoft Purview audit-log search via PowerShell is performed with Exchange Online cmdlets. Microsoft’s guidance states: “Use the Search-UnifiedAuditLog cmdlet to search the audit log for events.” This cmdlet is part of the Exchange Online PowerShell (ExchangeOnlineManagement) module and requires you to connect to the service before running queries. Microsoft further notes that you must install and import the Exchange Online PowerShell V2 module and then connect (for example, Connect-ExchangeOnline ) to run compliance and audit-related cmdlets, including Search-UnifiedAuditLog . In short, on a Windows device the first prerequisite is installing the Exchange Online PowerShell module , after which you authenticate and run your audit searches. Alternatives such as enabling remoting or modifying TrustedHosts are unrelated, and the Microsoft Graph PowerShell module does not provide the Search-UnifiedAuditLog cmdlet that Purview audit searches rely on. Therefore, the correct first step is to install the Microsoft Exchange Online PowerShell module .

In Microsoft Defender for Endpoint (part of Microsoft Defender XDR), device groups are used to organize endpoints for policy, automation, and investigation purposes. Tags provide a dynamic way to categorize devices temporarily or permanently.

To temporarily group high-value machines for investigation or response, the correct approach is to use tags and a new high-rank device group :

Add a tag to the machines (C): Applying a tag allows quick identification and dynamic inclusion in a new group without permanently altering membership.

Create a new device group (D): Creating a device group with a rank of 1 ensures it has the highest precedence and that devices tagged for this group are included i mmediately.

Add a tag to the device group (A): The device group’s membership rule can include the tag value, automating group inclusion.

This approach aligns with Microsoft Defender for Endpoint guidance to “use device tags and group ranks for dynamic grouping and prioritized policy application” — minimizing administrative effort while allowing targeted response actions.

The DeviceTvm SoftwareInventory table in Microsoft Defender XDR advanced hunting contains detailed information about installed applications, software versions, publishers, and installation details across onboarded endpoints. When you need to retrieve a list of installed programs for a specific device (like Device1), this is the correct table to query.

Microsoft documentation describes this table as:

“The DeviceTvmSoftwareInventory table provides a comprehensive inventory of all software discovered on devices, including v ersion and vendor information.”

DeviceTvmInfoGathering contains vulnerability assessment and scan status details, not software lists.

DeviceProcessEvents captures process execution data (runtime events).

Live response processes command lists currently running processes, not all installed software.

✅ Correct Answer: C. DeviceTvmSoftwareInventory

Microsoft Sentinel is built on top of Azure Monitor Log Analytics . All Sentinel data — including security alerts, incidents, and telemetry from connected sources — is stored and queried thr ough a Log Analytics workspace . Sentinel’s hunting feature uses Kusto Query Language (KQL) , which runs directly against the Log Analytics workspace data.

Official Sentinel documentation specifies:

“Microsoft Sentinel uses an Azure Monitor Log Analytics wor kspace as its foundation. All data collected by Sentinel is stored in that workspace, and hunting queries run on this data.”

Other workspace types such as Azure Synapse , Azure Databricks , or Azure Machine Learning are for analytics, data science, and model ing — not security log collection or KQL-based hunting.

✅ Therefore, to run hunting queries in Microsoft Sentinel, you must create a Log Analytics workspace.

| From the Syslog configuration, remove the facilities that send CEF messages. | CEF1 | | From the Log Analytics agent, disable Syslog synchronization. | Server2 |

The goal is to eliminate duplicate events in the Azure Sentinel workspace ( SW1 ). Duplication typically occurs when the same log source is sending data to Azure Sentinel via multiple collection methods .

Analysis of the Environment

SW1 is the Azure Sentinel (now Microsoft Sentinel ) workspace, which is the final destination for all logs.

CEF1 is a Linux server configured as a log forwarder (often called a CEF collector ) for Microsoft Sentinel. It uses the Log Analytics agent (or the newer Azure Monitor Agent) to ingest logs and is specifically configured to forward Common Eve nt Format (CEF) logs to SW1 .

Server1 sends CEF logs to CEF1 . This is the intended, single collection path for Server1 ' s CEF logs: Server1 CEF1 SW1. No duplication is inherent here.

Server2 sends Syslog logs to CEF1 . This path is: Server2 CEF1 SW1.

Since CEF1 is running the Log Analytics agent (required to forward logs to SW1) and is configured to collect Syslog data (to receive Server2 ' s logs), the Log Analytics agent on CEF1 will also attempt to ingest the Syslog messages it receives into SW1.

However, t he Log Analytics agent itself can also be used to collect Syslog/CEF logs directly from the source server.

Addressing Duplication

Duplication is most likely to occur if a server is sending the same logs to a forwarder AND also has the Log Analytics agent configured to send the same logs directly to SW1.

Action 1: From the Syslog configuration, remove the facilities that send CEF messages.

Resource: CEF1

Reasoning: CEF1 is a Linux server running the Log Analytics agent and is acting as the collector. Server1 sends CEF logs to CEF1. These CEF logs are transmitted using Syslog (specifically, a custom Syslog format). If the Log Analytics agent on CEF1 is configured to collect all Syslog facilities, it will ingest the raw CEF Syslog messages it receives from Server1 AND also ingest the parsed CEF messages via its custom forwarding logic. To prevent the Syslog collector on CEF1 from ingesting the raw CEF messages that it is supposed to be forwarding , you must modify its Syslog configuration (e.g., in /etc/rsyslog.conf or equivalent) to ignore the facilities/log files used by the incoming CEF messages from Server1. The primary purpose of CEF1 is to receive and forward CEF, not to have its Log Analytics agent ingest the raw Syslog that transports the CEF payload.

Acti on 2: From the Log Analytics agent, disable Syslog synchronization.

Resource: Server2

Reasoning: Server2 is configured to send Syslog logs to CEF1 (Server2 CEF1 SW1). Since Server2 is a Linux server, it may also have the Log Analytics agent installed for other monitoring purposes. If the Log Analytics agent on Server2 is installed, it is configured by default to collect Syslog logs directly and send them to SW1 (Server2 SW1). This creates a duplicate path for the Syslog data:

Path A (Intended): Server2 Syslog CEF1 SW1

Path B (Duplication): Server2 Log Analytics Agent Syslog SW1

According to Microsoft Sentinel documentation on log ingestion, when using a dedicated forwarder (like CEF1) for Syslog/CEF, you must disable the Syslog collection on the Log Analytics agent of the source machine (Server2) to prevent this duplication. This is typically done by disabling Syslog synchronization in the Log Analytics agent configuration or removing the Syslog entry from the agent ' s data sources.

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.

For hunting in Microsoft 365 Defender , email at tachment metadata is in EmailAttachmentInfo (fields include Timestamp , FileName , SHA256 , NetworkMessageId , etc.). To return every email that contains a specific attachment and optimize performance , apply time filters as early as possible and avoid unnecess ary joins. Early filtering reduces the dataset to scan and speeds execution.

A performant query that meets “only last hour” and the attachment name requirement is:

EmailAttachmentInfo

| where Timestamp > ago(1h) // filter early for perf ormance

| where Subject == " Document Attachment " and FileName == " Document.pdf "

| where Timestamp > ago(1h) // (idempotent second constraint; harmless)

Using joins (e.g., to DeviceFileEvents on SHA256 ) is not required to answer the question and would add overhead. The key is to filter on Timestamp and FileName within EmailAttachmentInfo , ensuring only emails from the last hour with Document.pdf are returned while keeping the query efficient.

According to Microsoft Defender for Endpoint documentation, Indicators of Com promise (IoCs) can be created based on file hashes, IPs, URLs/domains, or certificates . When the bulletin references a potential attack that uses an image file , it implies that the malicious component is a specific file type (e.g., .jpg , .png , .ico ) being weaponized.

The appropriate IoC for file-based threats is a File hash indicator . You create this indicator by specifying the hash (SHA-1, SHA-256, or MD5) of the suspicious file and setting its Action to “Alert and block” , which ensures that Defender for E ndpoint both raises an alert and prevents execution of the file on protected endpoints.

From Microsoft documentation:

“You can create indicators for file hashes, IP addresses, URLs/domains, and certificates. When creating file hash indicators, set the acti on to Alert and block to prevent execution of known malicious files on endpoints.”

Other options explained:

A & B (URL/domain) – These are used for blocking malicious websites or command-and-control domains, not image files.

D (Certificate) – Used for dete cting or blocking applications signed with malicious certificates, not for specific file-based threats.

✅ Correct Answer: C. a file hash indicator that has Action set to Alert and block

Defender for Cloud depends on the Log Analytics agent.

Use the Log Analytics agent if you need to:

* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure

* Etc.

Live Response in Microsoft Defender for Endpoint is a powerful investigative and remediation capability that lets responders interactively run commands on an endpoint, collect files, and perform remediation steps (collect investigation packages, pull files, run scripts, or take forensic artifacts). However, Live Response is an on-demand tool invoked during or after an investigation; it does not by itself provide continuous detection coverage or automatic blocking of artifac ts that a third-party AV missed. The requirement is to ensure devices are protected from malicious artifacts that were undetected by the third-party antivirus . To meet that objective you need capabilities that detect and block artifacts automatically (for example, EDR in block mode which actively blocks/remediates post-breach artifacts even when Defender AV is passive). Live Response helps respond to an identified artifact but does not create the detection and automatic blocking coverage that prevents or re mediate undetected malicious artifacts at scale. Therefore enabling Live Response alone does not meet the stated protection goal.

SecurityEvent

| where EventID == 4624

| summarize arg_max(TimeGenerated, *) by Account

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents: =

This query is designed for Microsoft Sentinel (Log Analytics) to identify the latest successful logon (Event ID 4624) for each account. Event ID 4624 in the SecurityEvent table indicates a successful logon in Windows security logs.

Let’s break down the logic step-by-step:

| where EventID == 4624

This line filters the SecurityEvent table to include only records that correspond to successful logon events.

Filtering first ensures that only relevant events are processed by the summarization step, improving performance and accuracy.

| summarize arg_max(TimeGenerated, *) by Account

The arg_max() aggregation function retrieves the record that has the maximum value of TimeGenerated for each Account.

The * symbol ensures that all columns from that most recent record are returned (not just TimeGenerated and Account).

In this context, this means we get the most recent 4624 logon event per user account.

Why this order matters:

If arg_max() is placed before the where clause, the summarization would occur over all events first, not just 4624, producing incorrect results.

Therefore, the correct logical order is to filter first (where EventID == 4624), and then summarize (arg_max(TimeGenerated, *) by Account).

Alternative incorrect options explained:

summarize make_list(Account) or make_set(Account) by EventID → These aggregate account names for each EventID, not the most recent event per account.

Placing where EventID == 4624 after summarize → Filters after aggregation, which won’t return correct results per account.

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace . To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’ s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace( ' Fabrikam-WS ' ).SecurityEvent, workspace( ' Contoso-WS ' ).SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrik am needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS —against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the te am to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect mali cious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This direct ly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolve d using Microsoft Defender for Endpoint .

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace . Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-min imization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for compr ehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increase s data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities , the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

✅ Log Analytics workspace to use: LA1

✅ Windows security events to collect: Common

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension , Defende r for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, en abling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns , and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modif y the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activi ty from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel .

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mappe d entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes . Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the secu rity extension , Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft D efender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom inge stion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configur ation is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

Azure Sentinel “playbooks” are Azure Logic Apps . Granting the minimal permissions to configure (create/edit) playbooks requires the Logic App Contributor role on the resource group where the playbooks reside. This satisfies the business requirement to use least privilege and specifically enables admin1 to design, modify, and manage Logic Apps that Sentinel automation rules or analytics rules will invoke. Roles like Automation Operator or Automation Runbook Operator apply to Azure Automation , not Logic Apps, and therefore don’t allow creating or editing Sentinel playbooks. Azure Sentinel Contributor allows managing Sentinel resources (incidents, analytics rules, workbooks) but, by itself, does not grant permissions to author Logic Apps. Assigning Logic App Contributor provides precisely what is needed to configure Sentinel playbooks without unnecessary broader permissions.

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard , you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP) . This is turned on in the Microsoft Defender Securit y Center under Settings → Advanced features . When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where la beled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventor y to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

To restrict cloud apps running on CLIENT1 (a Window s 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery . This integration enables th e blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation , Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shado w IT. The relevant steps include:

1️ ⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integrat ion

Network protection (in block mode)

Custom network indicators (if applicable) These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️ ⃣ Configure Cloud Discovery settings in Micr osoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an a pp is marked as unsanctioned , Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telem etry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps .

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically dis tant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives , since it may misinterpret legitimate connections as anomalous.

Mi crosoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s off ice IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

✅ Final Answer for Question 3: D. Impossible travel

 Log Analytics workspace to use: LA1

 Windo ws security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace , you should select the existing workspace LA1 . Defender for Cloud best practic es recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the l evel of Windows Security Events collected: Minimal , Common , or All Events . The business requirement calls for logs that provide a full audit trail of user activities . In Microsoft guidance, All Events is the level intended for comprehensive auditing (inclu ding logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose Al l Events .

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security .

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️ ⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️ ⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️ ⃣ Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4️ ⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

Microsoft Sentinel playboo ks can be triggered by different types of events— alerts , incidents , or entities . Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an inc ident trigger .

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger . This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto- closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configurati on.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combine d.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

✅ Answer for Question 10: C. event grouping

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatc hlist( ' < watchlist-name > ' ) , which returns a table with standard columns (including SearchKey ) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist( ' breakglass_account ' )) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requireme nt to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimi zing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist , and join UserPrincipalName to the watchlist’s SearchKey .

In Microsoft Sentinel’s Advanced Security Information Model (ASI M) , DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser . To minimize overhead , ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recomme nded pattern is:

Im_Dns(pack= " InfobloxNIOS " )

| where DnsResponseCodeName == " NXDOMAIN "

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXD OMAIN responses for counting DNS request failures from Infoblox1 .

In Microsoft Sentinel, Hunting queries are used to proactively search for threats and anomalies across collected security data. The requirement states that HuntingQuery1 must run auto matically when the Hunting page of Microsoft Sentinel is accessed. According to Microsoft’s official Sentinel documentation, this behavior is achieved by adding the hunting query to “Favorites.”

When a query is marked as a favorite in the Sentinel Hunting blade, Sentinel automatically runs it every time the Hunting page is opened. This provides updated results without the need for manual execution, ensuring analysts always see the most current data for that query. This configuration also adheres to the orga nization’s requirement to minimize administrative effort , since it eliminates the need for scheduling, automation, or manual refresh actions.

Other options do not meet this functional requirement:

A. Add to a livestream is used to monitor near-real-time da ta streams, not to auto-run queries upon accessing the Hunting page.

B. Create a watchlist is used for referencing static external data sets (like IPs, users, or devices) inside KQL queries, not for automating hunting query execution.

C. Create an automati on rule applies to incident management workflows, not hunting query execution.

Therefore, as per Microsoft Sentinel’s hunting documentation and best practices, the correct and verified answer is:

D. Add HuntingQuery1 to favorites .

The Defender for Cloud requirement states:

“The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory compliance initiatives.”

According t o Microsoft Defender for Cloud’s RBAC documentation, the Security Assessment Contributor role provides permissions to:

Enable and configure Defender plans,

Manage security policies and initiatives,

View and edit recommendations and compliance results.

This role gives enough permissions to perform Defender configuration tasks but follows the principle of least privilege , unlike broader roles like Owner or Contributor, which grant excessive rights.

✅ Answer for Question 9: C. Security Assessment Contributor

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR) . With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel sch eduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1’s Security log via AMA is to create a DCR , then assign it to Server1 and the Sentinel workspace.

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

To hunt for resource changes in an Azure subscription via Microsoft Sentinel, the correct telemetry sourc e is the AzureActivity table. Microsoft documents state that Azure Activity logs record control-plane operations against Azure resources (e.g., create/update/delete) and include fields such as OperationNameValue , ActivityStatusValue , Caller , ResourceId , an d EventSubmissionTimestamp . Filtering with OperationNameValue endswith " write " captures change operations (create/update), while ActivityStatusValue == " Succeeded " ensures only successful changes are counted. For time-series analysis over fixed intervals a nd to substitute missing data points with 0 , use the KQL make-series operator with the default=0 parameter. This operator builds per-principal daily series using on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller , and dcount(ResourceId) (or count() ) returns the number of resource changes each day per Microsoft Entra security principal. This aligns with Sentinel hunting best practices: use AzureActivity for subscription-level changes, filter to succeeded writes, and leverage make-series to pr oduce a 7-day daily series with zero-fill for gaps—minimizing false impressions caused by missing events.

Final KQL:

AzureActivity

| where OperationNameValue endswith " write "

| where ActivityStatusValue == " Succeeded "

| make-series dcount(ResourceId) default=0

on EventSubmissionTimestamp in range(ago(7d), now(), 1d)

by Caller

To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).

According to Microsoft Sentinel documentation, automation rules are used to automatically assign, tag, or close incidents as soon as they are created. Automation rules can filter incidents based on attributes such as alert name, severity, or source , and then perform specific actions like assigning incidents to users or groups .

In this scenario, incidents are generated by Rule1 from two different AD DS domains — contoso.com and fabrikam.com — and each must be routed to a specific security group for triage. The most efficient approach is to create two automation rules , each filtering incidents by domain (one for contoso.com and on e for fabrikam.com) and automatically assigning them to Group1 and Group2 respectively. This approach minimizes administrative overhead because automation rules are easy to maintain and don’t require the complexity of a playbook.

A playbook (Logic App) cou ld technically achieve the same outcome, but it introduces more administrative management, permissions, and maintenance. Hence, per Microsoft Sentinel best practices, multiple automation rules provide a lightweight and direct automation layer for incident assignment.

✅ Correct Answer: C. two automation rules assigned to Rule1

Explanation (concise): In Azure Sentinel (Microsoft Sentinel) KQL, to display a time chart aggregated by day , you bucket timestamps using bin(TimeGenerated, 1d) (often after a summarize ), which is what the timechart visual expects. extend adds columns, makeset aggregates values into a set, and workspace is for cross-workspace queries—not for time bucketing.QUESTION NO: 2

You are configuring Azure Sentinel.

You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.

Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Add a playbook.

B. Associate a playbook to an incident.

C. Enable Entity behavior analytics.

D. Create a workbook.

E. Enable the Fusion rule.

Answer: AB

Explanation (concise): To send a Microsoft Teams message when a suspicious sign-in is detected, create a playbook (Logic App) that posts to Teams ( A ) and associate the playbook so it runs when the corresponding alert/incident is created ( B )—typically via an automation rule or by attaching the playbook to the analytics rule/incident. Entity behavior analytics, workbooks, or Fusion aren’t required for sending Teams notifications.

In Microsoft 365 Defender advanced hunting , interactive sign-in activity on endpoints is recorded in the DeviceLogonEvents table. This table includes fields such as DeviceName , ActionType , and LogonType . For failed authentications, the normalized ActionType value is " LogonFailed " . To count failures per device (and optionally by logon type), you filter the target devices and failed-action events, then summarize. The query pattern is:

Start from DeviceLogonEvents (the canonical table for endpoint logon successes/failures).

Apply a whe re clause to limit to the three devices using DeviceName in (...) .

Add an and condition for ActionType == " LogonFailed " to select only failed authentications.

Use summarize with count() to total failures, grouping by DeviceName and LogonType to see counts per device and logon type.

Assembled query:

DeviceLogonEvents

| where DeviceName in ( " CFOLaptop " , " CEOLaptop " , " COOLaptop " ) and ActionType == " LogonFailed "

| summarize LogonFailures=count() by DeviceName, LogonType

This precisely returns the count of faile d sign-in authentications on the specified three devices.

I n Microsoft Sentinel , during incident investigation, you can label certain entities directly from the incident page as Indicators of Compromise (IOCs) . According to Microsoft Sentinel’s entity behavior and investigation documentation, entities such as IP a ddresses , URLs , file hashes , and domains can be directly marked as IOCs because they represent observable threat indicators that can be tracked across the environment.

While entities like User accounts , Hosts , and Malware names are part of incident context , they are not directly taggable as IOCs from the incident page because Sentinel expects IOCs to represent specific, traceable, external threat artifacts (e.g., IPs, domains, or file hashes).

Therefore, from the list provided — Host, IP address, User account, and Malware name — only the IP address entity can be directly labeled as an IOC from within the incident interface in Sentinel.

✅ Answer: D. IP address

To cr eate a playbook in Microsoft Sentinel, you must first create an Azure Logic App .

Playbooks in Sentinel are built on top of Logic Apps —they define automated workflows that can be triggered by alerts or incidents. Once the Logic App exists, you can connect i t to Sentinel via an automation rule or directly from an analytic rule.

A (Azure Function trigger): Used for custom code execution, not for Sentinel automation.

C (Hunting query): Used for threat hunting, not automation.

D (Automation rule): Connects an alert to a playbook but can’t exist before a playbook (Logic App) is created.

✅ Answer: B. an Azure Logic App

When using Live Response in Microsoft Defender for Endpoint , analysts can run a series of commands to investigate and take action directly on a device from the Microsoft Defender portal. The command set includes capabilities to stop processes, col lect artifacts, analyze suspicious files, and remediate threats — all without logging into the machine interactively.

In this scenario, you are investigating a suspicious process ( Proc1 ) and need to:

Stop Proc1 (terminate the process)

Send Proc1 for further review (upload it to Microsoft for deeper analysis)

Here’s how each is done:

Stop Proc1 → remediate The remediate command in Live Response terminates malicious or suspicious processes, quarantines or removes files, and cleans related registry entries. According to Microsoft Defender documentation, this command is used to “remove or stop active threats found on the device.” When you want to stop a suspicious process (such as Proc1 ), remediate is the appropriate command.

Send Proc1 for further re view → analyze The analyze command in Live Response is used to submit a file for further inspection. It uploads the specified file to Microsoft Defender’s cloud-based analysis service, which performs advanced analysis, including static and dynamic evaluati on. Microsoft defines this command as one that “submits a file for deep inspection and analysis in Microsoft Defender’s sandbox.”

Other listed commands (e.g., getfile , processes , registry , putfile , library ) serve different purposes:

getfile → Collects a fi le for offline manual analysis.

processes → Lists all active processes.

putfile → Uploads a file to the device.

registry → Views or edits registry keys.

library → Loads custom PowerShell or Python scripts into the Live Response environment.

Therefore, acco rding to official Defender for Endpoint documentation:

✅ Stop Proc1: remediate

✅ Send Proc1 for further review: analyze

In Azure Security Center (now Microsoft Defender for Cloud) , different roles have different levels of permission. To meet the principle of least privilege , you must assign only the minimal role required for each action.

Enable and disable Azure Defender

Enabling or disabling Microsoft Defender plans (formerly Azure Defender) changes billing and protection settings at the subscription level .

According to Microsoft documentation:

“Only users with the Subscription Owner or Security Admin roles at the subscription level can enable or disable Microsoft Defender plans.”

Because this change affects billing and overall subscription configuration, the Subscription Owner role is the appropriate one — it has full control at the subscription scope.

Apply security recommendations to a resource

Applying recommendations (such as enabling disk encryption or updating system patches) involves managing configuration settings on specific resources.

The Resource Group Owner role provides full management access to all resources within that resource group, which includes the ability to implement or re mediate recommendations.

Microsoft Defender for Cloud guidance states:

“To apply recommendations or perform remediation tasks on specific resources, the user must have write permissions on those resources — typically provided by the Resource Group Owner or Contributor role.”

✅ Final Correct Mapping:

Enable and disable Azure Defender → Subscription Owner

Apply security recommendations to a resource → Resource Group Owner