Free Microsoft SC-200 Practice Exam with Questions & Answers | Set: 5

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️ ⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️ ⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️ ⃣ Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4️ ⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns , and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modif y the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activi ty from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel .

To restrict cloud apps running on CLIENT1 (a Window s 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery . This integration enables th e blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation , Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shado w IT. The relevant steps include:

1️ ⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integrat ion

Network protection (in block mode)

Custom network indicators (if applicable) These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️ ⃣ Configure Cloud Discovery settings in Micr osoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an a pp is marked as unsanctioned , Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telem etry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR) . With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel sch eduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1’s Security log via AMA is to create a DCR , then assign it to Server1 and the Sentinel workspace.

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.