SC-200 Microsoft Security Operations Analyst Questions and Answers

In Microsoft Se ntinel workbooks, parameters can be referenced directly in KQL. For multi-select parameters that include an All option, the recommended pattern is to check the parameter’s label for “All” and otherwise filter by the selected values. Hence:

where ( " {Operati ons:label} " == " All " or Operation in ({Operations}))

This lets the visual treat All as a single choice while still supporting one or many explicit operations.

You also need a Users parameter, so you’d typically include:

| where UserId in ({Users})

Because the data source is OfficeActivity , to scope to SharePoint and OneDrive activity:

| where OfficeWorkload in ( ' OneDrive ' , ' SharePoint ' )

Finally, to exclude empty site URLs , filter out blanks:

| where Site_Url != ' '

Putting it together (for context):

OfficeAct ivity

| where ( " {Operations:label} " == " All " or Operation in ({Operations}))

| where OfficeWorkload in ( ' OneDrive ' , ' SharePoint ' )

| where UserId in ({Users})

| where Site_Url != ' '

| project Site_Url, UserId, Operation, TimeGenerated

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents : =

To monitor Linux virtual machines in AWS using Azure Defender (Microsoft Defender for Cloud) , you must onboard those VMs into Azure’s management plane. The recommended and supported approach is via Azure Arc .

Azure Arc enables Azure Defender to extend its security monitoring and policies to non-A zure machines (including AWS and on-premises). Once onboarded through Azure Arc, the Log Analytics agent (MMA/AMA) can be automatically provisioned, allowing Defender for Cloud to collect and analyze security data.

Microsoft documentation states:

“To monit or machines outside Azure (on-premises or in other clouds like AWS or GCP), onboard them to Azure using Azure Arc. Azure Defender will then auto-provision the required agent and begin monitoring.”

Thus, enabling Azure Arc and onboarding the AWS VMs meets t he goal .

✅ Correct answer: A. Yes

Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.

In Microsoft Sentinel , an automated threat response is achieved by using playbooks , which are automation workflows built on top of Azure Logic Apps . Microsoft’s Sentinel documentation explains: “Playbooks help automate and orchestrate your response to security threats detected in your environment. A playbook can take actions such as sending notific ations, blocking IP addresses, disabling user accounts, or integrating with third-party systems.”

Playbooks are triggered by alerts or incidents generated within Sentinel. They allow security operations teams to standardize and automate repetitive response tasks, reducing response time and minimizing manual effort. For example, when Sentinel detects a suspicious login attempt, a playbook can automatically isolate the affected device in Defender for Endpoint or block the user account in Microsoft Entra ID.

H ere’s why the other options are incorrect:

Data connector (A) is used to import logs and telemetry data into Sentinel but does not perform any response action.

Workbook (C) provides visual reporting and dashboards for analysis, not automation.

Microsoft in cident creation rule (D) helps group alerts into incidents but cannot perform automated remediation or response actions.

Therefore, the correct and verified configuration for automated threat response in Microsoft Sentinel is to use a playbook , which integ rates detection and automated remediation within the SecOps workflow.

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace . Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-min imization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for compr ehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increase s data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities , the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

✅ Log Analytics workspace to use: LA1

✅ Windows security events to collect: Common

In Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security), the impossible travel and sign-in from risky IP addresses anomaly detection policies automatically analyze user activity patterns and compare sign-in locations to detect suspicious behavior. However, when legitimate corporate IPs are not correctly identified as trusted, these polic ies may generate excessive false positives.

According to Microsoft’s official documentation on managing IP address ranges:

“To reduce false positive alerts from trusted network locations, define your organization’s known IP address ranges in the Defender f or Cloud Apps portal. Tagging these as Corporate ensures that sign-ins originating from these IPs are treated as safe and excluded from anomaly detection alerts.”

To implement this properly:

Add the IP addresses to the Corporate address range category (Opt ion B) — This explicitly identifies these ranges as trusted corporate networks. Once defined, Microsoft Cloud App Security (MCAS) automatically suppresses anomaly alerts (like impossible travel or risky IP alerts) from these known sources.

Override automat ic data enrichment (Option A) — Automatic data enrichment uses Microsoft’s threat intelligence and geolocation services to classify IPs. When you override it, the system respects your manual classification (Corporate, VPN, Risky, etc.) rather than reclassi fying based on Microsoft’s enrichment data. This ensures that your defined corporate IPs remain categorized correctly, avoiding repeated alerting on known legitimate sign-ins.

The other options are not appropriate:

C. Increase sensitivity level would actually make alerts even more frequent rather than reduce them.

D. Add IPs to “other” category does not stop alerts; only the Corporate category suppresses impossible travel alerts.

E. Activity policy exclusion is not used for anomaly detection tuning; it applies to specific custom activity conditions.

Therefore, the correct configuration to suppress legitimate corporate alerts and follow best practice for false positive reduction is to override automatic data en richment (A) and add corporate IPs to the Co rporate address range category (B).

In Azure Security Center (now integrated into M icrosoft Defender for Cloud ), when you receive a security alert , you can view details and recommended remediation actions directly within the portal. According to Microsoft documentation, each alert in Security Center provides two main sections when you ch oose Take Action :

Mitigate the threat – steps to remediate the immediate incident.

Prevent future attacks – recommendations generated by Defender for Cloud to strengthen your security posture and avoid similar alerts in the future.

To specifically view rec ommendations to resolve the alert , you expand the Prevent future attacks section. This section includes actionable insights such as enabling Just-In-Time (JIT) VM access, applying system updates, adjusting network security group rules, or enabling endpoint protection.

Other options are incorrect:

The Mitigate the threat section focuses on immediate containment, not preventive recommendations.

Regulatory compliance and Recommendations pages are general assessments, not alert-specific recommendations.

Therefore, the correct answer is A — select the alert → Take Action → expand Prevent future attacks .

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

Live Response in Microsoft Defender for Endpoint is a powerful investigative and remediation capability that lets responders interactively run commands on an endpoint, collect files, and perform remediation steps (collect investigation packages, pull files, run scripts, or take forensic artifacts). However, Live Response is an on-demand tool invoked during or after an investigation; it does not by itself provide continuous detection coverage or automatic blocking of artifac ts that a third-party AV missed. The requirement is to ensure devices are protected from malicious artifacts that were undetected by the third-party antivirus . To meet that objective you need capabilities that detect and block artifacts automatically (for example, EDR in block mode which actively blocks/remediates post-breach artifacts even when Defender AV is passive). Live Response helps respond to an identified artifact but does not create the detection and automatic blocking coverage that prevents or re mediate undetected malicious artifacts at scale. Therefore enabling Live Response alone does not meet the stated protection goal.

 File1.exe will be blocked on Device3. — No

 User2 will be marked with a risk level of medium. — No

 An investigation package will be collected from Devic e1. — Yes

Custom detection rules in Microsoft Defender XDR are scoped to devices or device groups and only take device-related actions for devices that are in that scope. As the documentation states, “Only data from devices in the scope will be queried. Also, actions are taken only on those devices.” Therefore a rule scoped to DevGroup1 will apply actions only to devices in DevGroup1 (Device1 and Device2); it will not apply to Device3 because Device3 is in DevGroup2. Microsoft Learn

File blocking is a file-level action triggered by the rule, but blocking is applied only where the rule is in scope. Consequently File1.exe will not be blocked on Device3 (out of scope). For the user action, the rule’s Mark user as compromised action explicitly “sets the users risk level to ' high ' in Microsoft Entra ID” — it does not set a medium risk. So the statement that User2 will be marked with risk level medium is incorrect; the document ed outcome is a high risk marking. Microsoft Learn

Finally, device actions include Collect investigation package and these are applied to the DeviceId results when the r ule matches. Because Device1 is in DevGroup1 (in scope) and the rule specifies collecting an investigation package for matching devices, an investigation package will be collected from Device1 when the rule fires. Microsoft Learn

Sources: Official Microsoft Defender XDR documentation for custom detection rules (actions, scope, and user actions). Microsoft Learn

SecurityEvent

| where EventID == 4624

| summarize arg_max(TimeGenerated, *) by Account

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents: =

This query is designed for Microsoft Sentinel (Log Analytics) to identify the latest successful logon (Event ID 4624) for each account. Event ID 4624 in the SecurityEvent table indicates a successful logon in Windows security logs.

Let’s break down the logic step-by-step:

| where EventID == 4624

This line filters the SecurityEvent table to include only records that correspond to successful logon events.

Filtering first ensures that only relevant events are processed by the summarization step, improving performance and accuracy.

| summarize arg_max(TimeGenerated, *) by Account

The arg_max() aggregation function retrieves the record that has the maximum value of TimeGenerated for each Account.

The * symbol ensures that all columns from that most recent record are returned (not just TimeGenerated and Account).

In this context, this means we get the most recent 4624 logon event per user account.

Why this order matters:

If arg_max() is placed before the where clause, the summarization would occur over all events first, not just 4624, producing incorrect results.

Therefore, the correct logical order is to filter first (where EventID == 4624), and then summarize (arg_max(TimeGenerated, *) by Account).

Alternative incorrect options explained:

summarize make_list(Account) or make_set(Account) by EventID → These aggregate account names for each EventID, not the most recent event per account.

Placing where EventID == 4624 after summarize → Filters after aggregation, which won’t return correct results per account.

According to Microsoft Sentinel and Azure Monitor Agent (AMA) documentation, when configuring data collection from Windows Security logs, you can use XPath filtering to limit which event IDs are collected. This hel ps optimize data ingestion by filtering out unnecessary events.

In this scenario, the requirement is to collect only event IDs 4624 (successful sign-in) and 4625 (failed sign-in) . The PowerShell cmdlet Get-WinEvent supports several filtering methods: -Filt erXPath , -FilterHashtable , and -FilterXml . To test the same XPath syntax used by the connector, you must use -FilterXPath , because this option accepts the same XPath query string format as used in the AMA data collection rule (DCR).

The correct XPath synta x for filtering specific event IDs from the Security log is:

Security!*[System[(EventID=4624 or EventID=4625)]]

This expression instructs the event query to return only events from the Security log whose EventID equals 4624 or 4625.

Finally, to validate th e filter, you run:

Get-WinEvent -LogName ' Security ' -FilterXPath $events

This command executes the filter locally and confirms that the syntax correctly retrieves the intended events.

Therefore, the correct completed script is:

✅ $events = ' Security!*[Syst em[(EventID=4624 or EventID=4625)]] '

✅ Get-WinEvent -LogName ' Security ' -FilterXPath $events

 Select Take action.

 Configure the Trigger automated response settings.

 Filter by alert title.

In Microsoft Defender for Cloud, automatic responses to alerts are implemented through Take action ➜ Trigger automated response , which creates or binds a workflow automation to a Logic App. For an alert such as “Suspicious process executed” , the least-effort approach is to start from the alert experience and attach the prebuilt Logic App that uses the “When a Defender for Cloud alert is created or triggered” trigger (your LogicApp2 ). The documented flow is: open the alert and choose Take action ; w ithin that blade, select Trigger automated response to connect a Logic App; then scope the automation by setting conditions/filters , including Alert title , so it only runs when the specific alert (“Suspicious process executed”) is generated. This maps exac tly to the three steps above.

Other panes under Take action — Mitigate the threat and Prevent future attacks —provide manual guidance or recommend hardening steps and are not used to bind a Logic App. Similarly, Suppress similar alerts is for tuning noise, no t for launching automations. Because you already have LogicApp2 with the Defender for Cloud alert trigger, selecting Trigger automated response and filtering by alert title ensures the playbook runs every time that specific alert fires , with minimal admini stration and without creating additional custom logic.

In Microsoft Sentinel, incident management and investigation permissions are controlled through Sentinel-specific Azure roles . To allow a user (including a guest user) to triage incidents — meaning they can view, assign, and update incident statuses , but not modify analytics rules or automation logic — the correct Azure role is Microsoft Sentinel Res ponder .

Here’s the breakdown:

1️ ⃣ Azure role → Microsoft Sentinel Responder

The Sentinel Responder role grants permissions to view incidents, update incident status, assign incidents, and run playbooks on incidents.

It follows the principle of least privilege by limiting access to only incident response and not allowing rule creation, workbook management, or data connector configuration.

The Sentinel Contributor role, on the other hand, provides broader permissions (including modifying analytic rules) , which exceeds the requirement of “triaging incidents.”

Therefore, Microsoft Sentinel Responder is the correct and least-privilege Azure role.

2️ ⃣ Azure AD role → Directory readers

To investigate and triage incidents effectively, Sentinel users must be ab le to resolve user identities (such as usernames, group membership, and object IDs) within Microsoft Entra ID (Azure AD).

The Directory Readers role provides read-only access to directory data, allowing the user to view identities but not modify them.

This minimal permission satisfies Sentinel’s identity lookup needs without elevating the user to a global administrative or global reader role.

✅ Final Answers:

Azure role: Microsoft Sentinel Responder

Azure AD role: Directory readers

According to official Microsoft Defender Vulnerability Management (TVM) documentation, when a new CVE is announced, analysts can use Microsoft 365 Defender Security Center to investigate exposure and initiate remediation workflows. The proper sequence to handle such a case is:

From Threat & Vulnerability Management (TVM), select Weaknesses and search for the CVE. In Microsoft 365 Defender, all known vulnerabilities are cataloged under the Weaknesses tab. Searching for the CVE there allows secu rity teams to determine whether any managed assets are affected and to view metadata such as severity, exploitability, and exposure score.

Select Security recommendations. Once the CVE is located, associated Security recommendations appear. These recommend ations include actionable steps like “Update software” or “Remove vulnerable version.” Each recommendation aggregates affected devices, user exposure, and related CVEs.

Create the remediation request. From the recommendation, analysts can create a remediat ion request directly in the Defender portal. This task is automatically assigned to the appropriate remediation group or IT operations team, with a due date and priority based on the risk assessment.

This workflow minimizes administrative effort, ensures a lignment with the principle of least privilege , and leverages Defender’s built-in Threat & Vulnerability Management (TVM) automation to move from detection to remediation efficiently.

✅ Final Sequence:

(1) From Threat & Vulnerability Management → Weaknesses

(2) Select → Security recommendations

(3) Create → Remediation request

In Microsoft Defender for Endpoint (MDE) live response sessions, to execute a PowerShell or other script on a remote device, the file must first be up loaded to the device from your local session. Microsoft documentation specifies that the putfile command is used to transfer a file (such as a script, tool, or executable) from the analyst’s workstation to the target device’s temporary working directory fo r execution.

Even though Script1.ps1 is digitally signed, Defender for Endpoint live response does not automatically access files from local storage or network paths. The analyst must explicitly upload the script using putfile , after which it can be execut ed within the live response shell.

The library and upload to library commands are used for storing reusable scripts centrally in the Microsoft Defender portal, but that’s not required for a single manual session. Modifying the PowerShell execution policy i s unnecessary because MDE live response sessions already allow executing approved scripts.

Hence, to minimize administrative effort and successfully run Script1.ps1 in the live session, the correct first action is:

B. Run the putfile command.

Microsoft Defender XDR’s Automatic attack disruption requires EDR in block mode to be enabled. This feature allows Defender for Endpoint to block or contain m alicious activities, even when the primary antivirus engine fails to detect or block them initially.

According to Microsoft Defender documentation, attack disruption relies on real-time EDR response capabilities and EDR in block mode to isolate compromised users or devices automatically. Without EDR in block mode, Defender can only alert — not stop — ongoing attacks.

Enabling EDR in block mode integrates the EDR layer with Microsoft Defender Antivirus to automatically contain lateral movement and credential theft activities. While Tamper Protection , Live Response , and Standard Discovery are valuable, they do not directly enable automatic attack disruption.

✅ Correct Answer: A. Set Enable EDR in block mode to On

In Microsoft Sentinel (and Azure Monito r Logs), when you create a custom parser , it must output a consistent schema from a KQL query that only transforms or reshapes data. The query cannot include commands that control presentation, sorting, or time filtering logic such as sort by , take , or exp licit where TimeGenerated > ago() . These constructs are valid in ad-hoc queries and hunting scenarios but not supported inside parser definitions because parsers are designed to provide reusable, schema-consistent structured data for analytics, detection r ules, and normalization.

In the provided example, line 5 uses:

sort by TimeGenerated desc nulls last

Sorting is purely a presentation operation and is not allowed within a parser definition. A parser should only manipulate and project columns (for example, project , extend , parse , etc.) but should not include sort , limit , or take clauses.

Other lines serve valid data filtering and shaping purposes:

Line 2 filters the time range ( TimeGenerated > ago(7d) ), which can remain for a specific scenario setup.

Line 3 applies a valid operation filter ( where Operation contains " delete " ).

Line 4 projects relevant fields.

Therefore, to prepare this query for inclusion in a custom parser, you must remove line 5 , the sort by command, ensuring the parser complies with Sentin el’s parser syntax and execution engine requirements.

Hence, the correct answer is C. Remove line 5 .

In Microsoft Defender for Endpoint (MDE) , the actions available for a device depend on its onboarding and management state . These actions are part of the incident response toolkit used by SecOps analysts to contain, isolate, or investigate devices during malware incidents.

Device1 – Windows Server 2022 (Ma naged) Device1 is onboarded and managed through Microsoft Defender for Endpoint, meaning it supports the full range of response actions , including:

Isolate device – disconnects the device from the network while maintaining Defender for Endpoint connectivity for command and control.

Contain device – blocks communication between this device and other devices, reducing lateral movement.

Initiate Automated Investigation (AIR) – triggers Defender’s automated threat investigation and remediation process.

According to Microsoft’s official Defender for Endpoint documentation:

“For devices onboarded and managed by Microsoft Defender for Endpoint, SecOps can initiate automated investigations, isolate or contain devices, and perform live response actions.”

Thus, Device1 supports all three response actions.

✅ Answer for Device1: Isolate device, Initiate Automated Investigation, and Contain device

Device2 – Linux (Unmanaged) Device2 is discovered but unmanaged , meaning it has not been onboarded to Defender for Endpoint. For unmanaged or discovered-only devices , the available actions are limited. Microsoft documentation clearly states:

“For unmanaged devices discovered by Defender for Endpoint, response actions such as containment or investigation are unavailable. Only isolation recommendations can be made if supported.”

Because Device2 is a Linux device and not onboarded , the platform cannot perform full remediation or containment. The only applicable action that aligns with incident containment (but not management interference) is isolating the device from the network to prevent malware spread.

✅ Answer for Device2: Isolate device only

✅ Final Answers Summary:

Device1: Isolate device, Initiate Automated Investigation, and Contain device

Device2: Isolate device only

When onboarding Google Cloud Platform (GCP) to Microsoft Defender for Cloud using the native cloud connector , the integration process is performed within GCP to allow Defender for Cloud to continuously monitor all existing and future GCP projects under the organization.

Step 1: Create a management project and a custom role According to Microsoft Defender for Cloud’s official onboarding documentation for GCP, the connector setup requires the creation of a management project in GCP. This project acts as a central control point for all future onboarding operations. In that project, you create a custom IAM role that defines the minimum required permissions for Defender for Cloud to access security posture, asset inventory, and threat detection data from GCP resources.

This ensures least-privilege access and allows automatic onboarding of all new GCP projects under the same organization (GCP1).

Step 2: Run the setup script in GCP Cloud Shell Microsoft provides a deployment script that you execute from the GCP Cloud Shell . Running the script there automates:

Creation of the management project

Assignment of the custom role

Configuration of the service account and necessary API permissions

Establishment of the continuous connector between GCP and Defender for Cloud

Running it in Azure Cloud Shell would not have the required GCP SDK environment or permissions to modify GCP IAM and projects, hence GCP Cloud Shell is required.

✅ Final Answers:

Create: A management project and a custom role

By: Running a script in GCP Cloud Shell

When Azure Defender for Key Vault (now Microsoft Defender for Key Vault) detects unauthorized access attempts—especially from Tor exit nodes or other suspicious IPs—the recommended mitigation is to restrict access to trusted networks by using Key Vault firewalls and virtual networks . Microsoft’s official guidance specifies: “Enable Key Vault firewalls and virtual networks to allow access only from specific public IP addresses, IP ranges, or selected virtual networks. Deny requests from untrusted sources such as Tor exit nodes.”

While Azure AD permissions and RBAC control who can authenticate and what operations they can perform, they do not prevent network-level threats. Access policies define granul ar permissions but cannot block specific network origins. Network-level controls like firewalls and VNets provide the strongest protection against malicious traffic or automated attacks from anonymous sources.

Therefore, to mitigate unauthorized access att empts coming from Tor exit nodes, the appropriate configuration is A. Key Vault firewalls and virtual networks .

In Azure Security Center (now Microsoft Defender for Cloud), Workflow automation is provisioned as an ARM resource of type Microsoft.Security/automations . The automation resource defines one or more actions , and when the action is a Logic App, the actionType is set to LogicApp and the action must reference the Logic App by its resource ID . In ARM, the correct provider namespace for Logic Apps is Microsoft.Logic , so the template uses resourceId( ' Microsoft.Logic/workflows ' , < logicAppName > ) to populate logicAppResourceId .

To enable the security alert to trigger the Logic App, the automation a ction includes a callback URL to the Logic App’s manual trigger. In ARM, this is retrieved with listCallbackURL() against the trigger resource ID, which must also use the Microsoft.Logic provider, i.e., resourceId( < subscriptionId > , < resourceGroupName > , ' Mi crosoft.Logic/workflows/triggers ' , < logicAppName > , ' manual ' ) , with the Logic Apps API version such as 2019-05-01 . This is the documented pattern for Security Center workflow automations: define an automation under Microsoft.Security/automations , specify an action of type LogicApp , reference the workflow by Microsoft.Logic , and obtain the manual trigger callback via listCallbackURL on Microsoft.Logic/workflows/triggers . This wiring ensures that when the specified security alerts are received, the automation invokes the Logic App for automatic remediation on each match.

1️ ⃣ Connect-IPPSSession

2️ ⃣ New-ComplianceSearch

3️ ⃣ Start-ComplianceSearch

In Microsoft 365 E5 (which includes Microsoft Purview and Exchange On line), to identify phishing email messages using PowerShell, administrators can perform a compliance content search . The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.

Here’s the correct order and purpose of each cmdlet:

1️ ⃣ Connect-IPPSSession

This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center) .

It’s required before exe cuting any compliance-related PowerShell commands such as creating or starting a search.

Example:

Connect-IPPSSession

2️ ⃣ New-ComplianceSearch

After connecting, use this cmdlet to create a new compliance content search .

You can define parameters such as th e search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).

Example:

New-ComplianceSearch -Name " PhishingSearch " -ExchangeLocation All -ContentMatchQuery ' Subject: " phish " OR Subject: " urgent action required " '

3️ ⃣ Start-ComplianceSearch

Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.

Example:

Start-Complia nceSearch -Identity " PhishingSearch "

Other cmdlets explained:

Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.

Search-UnifiedAuditLog searches the unified audit log , which is used for activity a uditing, not email content searches.

✅ Final Correct Sequence:

Connect-IPPSSession

New-ComplianceSearch

Start-ComplianceSearch

In Microsoft Defender for Identity (MDI), the goal described — “configure several accounts for attackers to exploit” — refers to creating honeytoken accounts . A honeytoken is a decoy user account deliberately configured to appear valuable (e.g., privileged or high-value) but is not used by legitimate users. Defender for Identity monitors these accounts, and if any authentication or access attempt is detected, it triggers an immediate alert because such activity indicates potential attacker reconnaissance or co mpromise.

According to Microsoft Defender for Identity documentation , to designate honeytoken accounts, you must explicitly add the accounts themselves under the Honeytoken accounts configuration in the MDI portal. The portal path is:

Defender for Identity Portal → Configuration → Honeytoken accounts → Add accounts .

Adding accounts to a Sensitive group does not make them honeytokens. Sensitive groups (like Domain Admins or Enterprise Admins) are used by Defender for Identity to track privileged account activities and detect lateral movement, but they are not monitored as honeypots.

Therefore, while adding accounts to a Sensitive group increases monitoring visibility for privilege abuse, it does not fulfill the goal of configuring specific accounts as dec oy targets for attackers.

Hence, the correct and verified answer is B. No — the described solution does not meet the goal.

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard , you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP) . This is turned on in the Microsoft Defender Securit y Center under Settings → Advanced features . When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where la beled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventor y to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

To restrict cloud apps running on CLIENT1 (a Window s 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery . This integration enables th e blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation , Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shado w IT. The relevant steps include:

1️ ⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integrat ion

Network protection (in block mode)

Custom network indicators (if applicable) These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️ ⃣ Configure Cloud Discovery settings in Micr osoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an a pp is marked as unsanctioned , Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telem etry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

 The UserName field is set as the account entity. → Yes

 The watchlist cannot be updated after it is created. → No

 The IPList variable is set as the IP address entity. → No

In Microsoft Sentinel analytics rules, entity mapping is done by assigning special alias fields in the query result such as AccountCustomEntity , HostCustomEntity , and IPCustomEntity . In the provided KQL, the final line explicitly maps AccountCustomEntity = UserName and HostCustomEntity = Computer , which sets UserName as the account entity and Computer as the host entity. No mapping is provided for an IP entity; the query defines let IPList = _GetWatchlist( ' Bad_IPs ' ); to retrieve a watchlist named Bad_IPs and then uses it only for filtering ( SourceIP in (IPList) or DestinationIP in (IPList) ). Because IPList is a dataset used for comparison and not assigned to IPCustomEntity , it is not set as the IP address entity. Additionally, Microsoft Sentinel watchlists are editable —you can upload new files, append, or replace data after creation—so the statement that a watchlist cannot be updated is false .

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall s ettings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise i s suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration change s at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats , Microsoft recommends hardening Key Vault firewall and networking : restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blo cks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

 Table: DeviceFileEvents

 Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents , DeviceProcessEvents , and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents . This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typi cal timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters t o show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcess Events focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

In Microsoft Defender for Endpoint , the Live Response feature enables security analysts to remotely connect to devices (including servers) via a secure shell session directly from the Microsoft 365 D efender portal . This feature allows real-time investigation, evidence collection, and remediation commands without requiring direct network access to the device.

To enable this capability for Windows servers , you must first enable the “Live Response for Se rvers” advanced feature within Defender for Endpoint settings. Microsoft’s documentation explicitly states that this setting allows remote shell access to onboarded Windows Server devices, which is disabled by default for security reasons.

Once the advance d feature is enabled, Live Response permissions and functionality are managed at the device group level. Device groups in Defender for Endpoint are typically configured using device tags , which classify and organize endpoints (e.g., by department, OS type, or role). Tag-based grouping allows administrators to apply policies or features (like Live Response) efficiently to specific sets of devices, such as only production servers.

Alternative options such as “Automation level” or “device value” are unrelated — automation level controls auto-remediation, while device value assigns importance for alert prioritization.

Thus, the correct configuration steps are:

Enable Live Response for Servers under advanced features.

Apply the configuration to the target device group identified by a device tag .

✅ Final Answer:

Advanced feature: Live Response for Servers

For the device group: A device tag

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the secu rity extension , Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft D efender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom inge stion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configur ation is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension , Defende r for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, en abling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks , which are workflows built on Azure Logic Apps . These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control chang es—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a pla ybook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell o r Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integra te orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remedia te active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation r esponse capabilities.

 Log Analytics workspace to use: LA1

 Windo ws security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace , you should select the existing workspace LA1 . Defender for Cloud best practic es recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the l evel of Windows Security Events collected: Minimal , Common , or All Events . The business requirement calls for logs that provide a full audit trail of user activities . In Microsoft guidance, All Events is the level intended for comprehensive auditing (inclu ding logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose Al l Events .

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mappe d entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes . Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️ ⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️ ⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️ ⃣ Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4️ ⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

As outlined in Microsoft’s official Defender for Of fice 365 documentation, this service provides comprehensive protection against threats targeting Microsoft 365 collaboration tools—such as SharePoint Online , OneDrive for Business , and Microsoft Teams . The marketing team uses SharePoint Online for vendor c ollabora tion and has experienced incidents in which vendors uploaded malicious files. Microsoft Defender for Office 365 specifically addresses this scenario through features like Safe Attachments and Safe Links , which automatically scan uploaded or shared files for malware and block access to harmful content.

When a vendor uploads a file to SharePoint Online, Defender for Office 365 inspects the file in real time within a virtual sandbox environment before allowing users to open or share it. If malware is d etected, the system quarantines or removes the file and notifies administrators. These detection and remediation capabilities prevent infection propagation, protect sensitive marketing data, and maintain compliance with Contoso’s security posture.

By leveraging Defender for Office 365, Contoso’s marketing team can continue external collaboration safely, ensuring that all uploaded files are scanned and validated before internal access—thereby resolving their specific malware-related issue.

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS —against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the te am to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect mali cious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This direct ly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolve d using Microsoft Defender for Endpoint .

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace . To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’ s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace( ' Fabrikam-WS ' ).SecurityEvent, workspace( ' Contoso-WS ' ).SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrik am needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

In Microsoft Sentinel, Hunting queries are used to proactively search for threats and anomalies across collected security data. The requirement states that HuntingQuery1 must run auto matically when the Hunting page of Microsoft Sentinel is accessed. According to Microsoft’s official Sentinel documentation, this behavior is achieved by adding the hunting query to “Favorites.”

When a query is marked as a favorite in the Sentinel Hunting blade, Sentinel automatically runs it every time the Hunting page is opened. This provides updated results without the need for manual execution, ensuring analysts always see the most current data for that query. This configuration also adheres to the orga nization’s requirement to minimize administrative effort , since it eliminates the need for scheduling, automation, or manual refresh actions.

Other options do not meet this functional requirement:

A. Add to a livestream is used to monitor near-real-time da ta streams, not to auto-run queries upon accessing the Hunting page.

B. Create a watchlist is used for referencing static external data sets (like IPs, users, or devices) inside KQL queries, not for automating hunting query execution.

C. Create an automati on rule applies to incident management workflows, not hunting query execution.

Therefore, as per Microsoft Sentinel’s hunting documentation and best practices, the correct and verified answer is:

D. Add HuntingQuery1 to favorites .

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR) . With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel sch eduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1’s Security log via AMA is to create a DCR , then assign it to Server1 and the Sentinel workspace.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

In Microsoft Sentinel’s Advanced Security Information Model (ASI M) , DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser . To minimize overhead , ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recomme nded pattern is:

Im_Dns(pack= " InfobloxNIOS " )

| where DnsResponseCodeName == " NXDOMAIN "

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXD OMAIN responses for counting DNS request failures from Infoblox1 .

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatc hlist( ' < watchlist-name > ' ) , which returns a table with standard columns (including SearchKey ) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist( ' breakglass_account ' )) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requireme nt to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimi zing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist , and join UserPrincipalName to the watchlist’s SearchKey .

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

The Defender for Cloud requirement states:

“The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory compliance initiatives.”

According t o Microsoft Defender for Cloud’s RBAC documentation, the Security Assessment Contributor role provides permissions to:

Enable and configure Defender plans,

Manage security policies and initiatives,

View and edit recommendations and compliance results.

This role gives enough permissions to perform Defender configuration tasks but follows the principle of least privilege , unlike broader roles like Owner or Contributor, which grant excessive rights.

✅ Answer for Question 9: C. Security Assessment Contributor

Microsoft Sentinel playboo ks can be triggered by different types of events— alerts , incidents , or entities . Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an inc ident trigger .

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger . This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto- closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configurati on.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combine d.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

✅ Answer for Question 10: C. event grouping