Practice Free SC-200 Microsoft Security Operations Analyst Exam Questions Answers With Explanation

To combine Microsoft Graph activity logs with Microsoft Entra ID Protection risky users , while minimizing data volume, you use the lookup kind=leftouter operator.

Microsoft documentation explains:

“Use lookup (instead of join) when you need to enrich a large dataset with a small lookup table to minimize data returned.”

MicrosoftGraphActivityLogs provides user activity records.

AADRiskyUsers lists users detected as risky by Entra ID Protection.

A leftouter lookup ensures all Microsoft Graph activity entri es are kept, while only matching risky user info is appended — reducing output volume compared to a full join .

? Correct Answer: A. MicrosoftGraphActivityLogs lookup kind=leftouter AADRiskyUsers on $left.UserId == $right.Id

? Policy template type: Access policy

? Filter based on: IP address tag

In Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security), policies are used to detect, alert, and control access or activity patterns across cloud applications.

To detect connections originating from a botnet network , you need a policy that evaluates real-time access conditions such as the user’s IP address, device, or location at the time of the connection attempt. This is achieved thr ough an Access policy , which controls and monitors session access to cloud apps using Conditional Access App Control.

Microsoft documentation specifies that Access policies can filter based on IP address ranges, tags, or risk levels. The “IP address tag” i s particularly used to classify addresses into categories like “Risky,” “Anonymous proxy,” “Botnet,” etc. Microsoft’s built-in IP address tagging capability recognizes malicious or suspicious sources, including known botnet IPs.

Activity policies monitor i n-app user actions such as file downloads, sharing, or admin operations—not the connection origin.

Anomaly detection policies rely on behavioral analytics and machine learning, not static IP classifications, and cannot explicitly target botnet IPs.

Therefo re, to meet the requirement of detecting connections to Microsoft 365 apps from botnet networks , you must configure an Access policy that filters based on the IP address tag set to “Botnet.”

Defender for Cloud depends on the Log Analytics agent.

Use the Log Analytics agent if you need to:

* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure

* Etc.

To identify which blobs were deleted in an Azure Storage account, you must review Azure Storage Analytics logs , which record all operations (including DeleteBlob and DeleteContainer requests) made aga inst the storage service.

These logs contain details such as timestamp, requester IP, operation type, and object name—allowing you to pinpoint the exact blobs deleted.

Activity logs (Option B) record control-plane operations (e.g., resource creation or con figuration changes), not data-plane operations like blob deletions.

Alert details and related entities (Options C and D) summarize detection context but do not include full operation-level details.

? Correct Answer: A. the Azure Storage Analytics logs

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud controls inbound traffic to virtual machines, reducing exposure to attacks. Microsoft’s guidance allows JIT policies to be centrally configured and applied automatically across a resource group using Azure Policy , which provides the lowest administrative overhead.

To meet the requir ements:

Limit request time to two hours: Defender for Cloud JIT policy allows defining a maximum allowed access duration per request.

Limit protocol to RDP only: The JIT configuration can restrict the protocol and port (TCP/3389 for RDP).

Minimize administrative effort: Azure Policy can automatically enforce this configuration for all VMs in RG1 without manually setting up each VM.

Other options are less suitable:

A. PIM controls user privileges, not network access.

C. Azure Front Door handles web application traffic.

D. Azure Bastion provides secure RDP/SSH via portal but doesn’t manage just-in-time network policies.

? Correct Answer: B. Azure Policy

When User and Entity Behavior Analytics (UEBA) is enabled in Microsoft Sentinel, it automatically monitors Azure AD Sign-in Logs and provides activity templates for detecting common risky behaviors, such as failed sign-in attempts , impossible travel , or infrequent country logins .

To detect faile d interactive sign-ins with minimal administrative effort , you can simply enable the UEBA activity template for sign-in failures rather than building a custom scheduled alert or hunting query.

? Answer: B. a UEBA activity template

To integrate Microsoft Defender for Cloud with Azure DevOps (AzDO1) for detecting secrets exposed in pipelines , you must connect the two platforms using Microsoft’s built-in integration flow that enables Defender for Cloud to scan repositories and pipelines for vulnerabilities and sensitive data exposure.

Here’s the correct configuration process:

Step 1: In Defender for Cloud – Add an environment In the Defender for Cloud portal, you first need to add an environment that represents your Azure DevOps organization.

This step connects Defender for Cloud to the DevOps service, allowing it to monitor repositories, build pipelines, and artifacts.

Navigate to Defender for Cloud ? Environment settings ? Add environment ? Azure DevOps .

You’ll then authenticate your Azure DevOps organization (AzDO1) to allow Defender for Cloud to scan your pipelines.

This setup enables Defender for DevOps , a capability within Defender for Cloud, to detect exposed secrets, insecure dependencies, and misconfigurations directly from pipeline activities.

Step 2: In AzDO1 – Install an extension Next, within Azure DevOps (AzDO1) , install the Microsoft Defender for DevOps Security Scanner extension from the Azure DevOps Marketplace .

This extension integrates the Defender for Cloud scanning engine into the Azure DevOps pipeline process and enables automatic scanning for:

Hardcoded secrets in YAML pipelines,

Vulnerability findings in open-source dependencies, and

Infrastructure-as-code misconfigurations (for example, ARM, Terraform).

Once installed, the extension automatically works with Defender for Cloud, and any detected secret exposure or security issue is surfaced in Defender for Cloud’s “DevOps Security” dashboard.

Configure workflow automation: Applies to automated incident responses, not DevOps integration.

Enable a plan: Refers to enabling Defender plans for specific Azure resource types, not connecting DevOps.

Configure OAuth / Configure security policies: Required for custom integration scenarios, but not for standard Defender–DevOps onboarding.

Why Other Options Are Incorrect:

? Final Correct Answer:

In Defender for Cloud: Add an environment

In AzDO1: Install an extension

The query filters on ingestion_time() > ago(1d) , which means it is interested in recently inges ted device telemetry (DeviceEvents and DeviceProcessEvents) within the last 24 hours. To minimize the time between an event ingest and a detection/notification, you want the rule engine to evaluate the query as close to real-time as possible. Microsoft’s X DR/Defender detection framework supports continuous (near-real-time, NRT) detection mode, which evaluates incoming telemetry continuously (or at very short intervals) rather than waiting for a scheduled run.

Scheduled analytics/detection rules run on fixed intervals (for example every hour, every 3 hours, etc.), which introduces a guaranteed latency equal to the schedule period. By contrast, a Continuous (NRT) rule processes telemetry as it arrives (or in very short batch windows), dramatically reducing the time-to-alert for matching events. That makes Continuous (NRT) the correct choice when the requirement is to minimize notification latency for device events.

Note the operational trade-offs: continuous rules can generate more frequent evaluations and high er operational overhead (and potentially more noise), so they should be scoped and tuned appropriately (filters, distinct counts, thresholds) to avoid excessive alerts.

In Microsoft Sentinel (now part of Microsoft Defender XDR), Kusto Query Language (KQL) is used to create queries for workbooks, analytics rules, and hunting q ueries. The SecurityIncident table contains all incidents created in Sentinel, including their timestamps, severities, and metadata.

To meet the requirements:

“List all incidents by incident number” ? means grouping results by the field IncidentNumber .

“On ly include the most recent log for each incident” ? means you must return only the latest record for each incident.

In KQL, the correct operator for this purpose is summarize arg_max() . The function arg_max(LastModifiedTime, *) returns the row (record) tha t has the maximum LastModifiedTime for each group—in this case, each unique IncidentNumber —along with all its other columns (indicated by * ).

Therefore, the complete and correct query is:

SecurityIncident

| summarize arg_max(LastModifiedTime, *) by Inciden tNumber

summarize aggregates records based on the specified grouping key ( IncidentNumber ).

arg_max() selects the latest record based on LastModifiedTime .

This query will return exactly one record per IncidentNumber , corresponding to the most recently modified incident entry—perfectly fulfilling the requirement of showing the latest incident state for each case in a Sentinel workbook.

? Correct selections:

First dropdown: summarize

Second dropdown: arg_max

In Microsoft Defender for Endpoint advanced hunting, when Network device discovery is enabled, onboarded devices can detect other devices on the same network. To build a hunting query that identifies discovered network devices and shows which onbo arded device discovered each, you use the SeenBy() built-in function.

Microsoft’s official Defender XDR KQL function documentation explains:

“The SeenBy() function returns the list of devices that have observed the entity (for example, IP address, URL, or network device). This function is typically used to correlate discovered devices with the onboarded devices that detected them.”

For example, you can write:

DeviceNetworkInfo

| where NetworkDeviceRole == " Discovered "

| extend DiscoveringDevice = SeenBy()

This function effectively maps the discovered asset to the detecting (onboarded) device.

Other options are not applicable:

current_cluster,endpoint() — not a valid Defender hunting function.

DeviceFromIP() — resolves IP addresses to onboarded devices but d oes not show which device discovered another.

next() — a general KQL operator for sequencing data, not for correlating network discovery events.

Therefore, to identify discovered network devices and the discovering endpoints, the correct built-in function is SeenBy() .

In Microsoft Defender for Identity , marking accounts as Sensitive instructs the system to monitor those accounts more closely for suspicious activity or lateral movement attempts.

The question describes the goal as configuring several accounts that attackers might exploit. Microsoft Defender for Identity documentation explicitly says:

“Accounts designated as Sensitive are prioritized for monitoring and detection to identify potential compromise attempts.”

Thus, adding the accounts as Sensitive accounts achieves the goal.

? Correct Answer: A. Yes

In Microsoft 365 Defender advanced hunting, if you want to automatically receive alerts based on a KQL query—such as detecting when a process disables System Restore—you must convert that query into a custom detection rule . According to Microsoft’s official documentation, custom detection rules “run hunting querie s on a schedule and create alerts and incidents when results are found.”

In order for the detection rule to function properly and correlate results across devices and incidents, the query must output DeviceId and ReportId . These fields are mandatory for an y advanced hunting query that you want to convert into a detection rule be cause they uniquely identify the device and event instance. Without them, the rule cannot properly generate correlated alerts.

Therefore:

Create a detection rule (A) – ensures the qu ery runs automatically and alerts are generated.

Add DeviceId and ReportId (E) – required for detection rule creation and accurate device/event correlation.

Other options are incorrect:

Suppression rule (B) filters alerts, not generate them.

Order by Times tamp (C) is optional for display, not alerting.

DeviceNetworkEvents (D) is unrelated to this process query.

? First blank (create a stub table): datatable

? Second blank (union option): isfuzzy=true

In KQL for Microsoft Sentinel, a safe way to test whether a table exists across multiple workspaces (without throwing an error when it doesn’t) is to union a guaranteed single-row “stub” table with a query against the target table, and use union isfuzzy=true . The stu b is created with datatable , e.g., let mtable = datatable(isMissing:int) [1]; which always yields one row ( isMissing=1 ). The second branch queries the real table and, if it exists, emits a row with isMissing=0 . When the table is missing, that branch return s no rows, but because isfuzzy=true is used, the reference to a potentially missing table is treated as an empty input rather than an error. Finally, selecting a single row (e.g., | top 1 by isMissing asc ) ensures you return 0 if the table exists (preferre d), otherwise 1 from the stub.

A complete pattern for the answer area is:

let mtable = datatable(isMissing:int) [1];

union isfuzzy=true

mtable,

(AzureActivity | getschema | project isMissing=0)

| top 1 by isMissing asc

This meets the requirements: it checks existence per workspace, returns one row with isMissing=0 if the table exists, or one row with isMissing=1 if it does not, with minimal overhead and no failures when the table is absent.

According to Microsoft Defender for Identity documentation, when an alert such as “Suspected identity theft (Pass-the-Ticket)” appears, it indicates that a compromised Kerberos ticket might have been used by an attacker to impersonate a legitimate account. The goal in this scenario is to contain the spread of the attack while minimiz ing disruption to unaffected users and systems.

Microsoft recommends isolating or quarantining the compromised device first, as it is the likely source of the malicious activity. Quarantining Device1 blocks it from communicating with other networked system s, preventing further credential theft or lateral movement, while allowing SOC teams to investigate and remediate the issue.

Resetting all account passwords or disabling user accounts at this stage could cause significant operational disruption and is not advised unless there is evidence that multiple credentials were compromised. Defender for Identity’s containment guidance explicitly notes:

“Contain the affected device to stop further credential theft or movement.”

“Reset passwords only for accounts confi rmed to be compromised.”

Therefore, the least disruptive and most efficient containment step is to quarantine Device1 only . This action effectively isolates the threat while maintaining normal operations for other users and devices, satisfying the requirem ent to minimize administrative effort and user impact.

Hence, the verified answer is B. Quarantine Device1 only .

For Conditional Access investigations in Microsoft Sentinel, the data source depends on the control plane used. When policies are downloaded via PowerShell , the cmdlets call the Microsoft Graph (e.g., Get-MgIdentityConditionalAccessPol icy ). Those Graph req uests are captured by the Microsoft Graph Activity Logs connector and land in the MicrosoftGraphActivityLogs table. This table records the app identity (such as PowerShell/Graph SDK), the API path (like /identity/conditionalAccess/policies ), verb (GET), an d result, which is ideal for spotting bulk reads/exports of policy definitions.

When policies are updated in the Microsoft Entra admin center , two streams provide visibility. First, directory auditing writes change events (create/update/delete of Condition al Access policies) to Microsoft Entra Audit logs , surfaced in Sentinel as the AuditLogs table, including the actor, target policy, operation (Update policy), and result. Second, the Entra admin center itself is a first-party application that performs the update by invoking Microsoft Graph ; those API calls are also recorded in MicrosoftGraphActivityLogs (with verb PATCH/POST and the policy resource path).

Therefore, to cover both perspectives— the authoritative audit record and the underlying API activity —you should query AuditLogs and MicrosoftGraphActivityLogs for updates, and MicrosoftGraphActivityLogs for downloads executed through PowerShell.

In Microsoft Defender for Cloud (formerly Azure Security Center) , workflow automation allows you to automatically respond to security al erts and recommendations by triggering remediation actions.

When you create an Azure Policy to enforce automatic remediation based on Defender alerts or recommendations, the effect determines what the policy does when a resource is found noncompliant:

Depl oyIfNotExists is the correct effect to use for automatic remediation. This effect automatically deploys a remediation task (such as a Logic App or other automation) when a matching noncompliant resource is detected. It’s commonly used in Defender for Cloud to deploy missing security configurations or initiate an automated remediation workflow.

Append only adds metadata or parameters to resources—it does not enforce or deploy remediation actions.

EnforceRegoPolicy is used for container compliance with Gateke eper policies (Kubernetes), not for Defender workflows.

For the automation mechanism:

An Azure Logic Apps app with the trigger “When an Azure Security Center alert is created or triggered” is the correct choice. This Logic App acts as the workflow automati on engine that runs whenever a new alert is raised. It can perform actions such as isolating VMs, disabling users, or notifying SOC teams.

Using a trigger for “When a response to an Azure Security Center alert is triggered” would only activate after a manu al response, not automatically.

Automation runbooks with webhooks can be used for custom automation, but Defender workflow automation integrates natively with Logic Apps and not directly with runbooks.

? Final Answer:

Set available effects to: DeployIfNotExists

To perform remediation use: An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered

When querying the Microsoft 365 Unified Audit Log (via Graph API or PowerShell), results are paginated for performance. The property @odata.nextLink provides the URL for the next page of results. You must keep querying this link until it no longer appears to retrieve all entries.

@odata.deltaLink is used for incremental changes (next query after initial).

@odata.context describes the re sponse metadata.

@odata.count indicates record count only. Thus, to retrieve all paged results , use @odata.nextLink .

? Answer: A. @odata.nextLink

To minimize administrative effort in responding to incidents and remediating security threats in Microsoft Sentinel , you s hould use the platform’s built-in automation and orchestration capabilities — specifically Automation Rules and Playbooks .

Microsoft Sentinel Automation Rules (Option C):

Automation rules in Sentinel allow you to automate incident management tasks such as assigning owners, changing severity, tagging, or automatically running playbooks when an incident or alert is created.

They help standardize responses across similar alerts, significantly reducing manual intervention.

Microsoft documentation states:

“Autom ation rules simplify the management of playbook triggers and incident handling by allowing you to define actions that automatically occur when incidents are created or updated.”

Microsoft Sentinel Playbooks (Option D):

Playbooks are Logic App–based workflo ws that automate responses to security alerts or incidents.

They can perform remediation actions such as disabling compromised accounts, isolating infected devices, blocking IP addresses, or sending notifications to SOC teams.

You can link playbooks direct ly to analytics rules or call them through automation rules for end-to-end automation.

Incorrect Options:

A. Bookmarks are used for hunting investigations, not for automation or remediation.

B. Azure Automation runbooks can be used for specific administrative scripts but require more manual setup and integration — not the most efficient choice for Sentinel’s automated workflows.

E. Azure Functions apps are custom code execution environments; while powerful, they are not the primary tool for Senti nel’s automated response.

In Microsoft 365 Security and Compliance (now part of Microsoft Purview), Data Loss P revention (DLP) policies use Sensitive Information Types (SITs) to detect confidential data. These SITs rely on a combination of methods—primarily regular expressions (RegEx) , keyword dictionaries, and validation checks—to identify patterns such as credit card numbers, national IDs, or custom formats.

Since the scenario specifies that customer account numbers are 32-character alphanumeric strings (not a predefined sensitive type in Microsoft 365), the appropriate detection mechanism is to create a custom Se nsitive Information Type using RegEx pattern matching . Microsoft documentation explicitly states:

“You can create custom sensitive information types that use a regular expression to define your own pattern for detecting sensitive data.”

Using RegEx, you can define a pattern such as [A-Za-z0-9]{32} to match exactly 32 alphanumeric characters. SharePoint search (A) cannot perform sensitivity classification, hunting queries (B) are for threat detection, and Azure Information Protection (C) applies labels aft er data is classified. Therefore, RegEx pattern matching is the correct choice to detect sensitive documents in this case.

To cr eate a playbook in Microsoft Sentinel, you must first create an Azure Logic App .

Playbooks in Sentinel are built on top of Logic Apps —they define automated workflows that can be triggered by alerts or incidents. Once the Logic App exists, you can connect i t to Sentinel via an automation rule or directly from an analytic rule.

A (Azure Function trigger): Used for custom code execution, not for Sentinel automation.

C (Hunting query): Used for threat hunting, not automation.

D (Automation rule): Connects an alert to a playbook but can’t exist before a playbook (Logic App) is created.

? Answer: B. an Azure Logic App

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks , which are workflows built on Azure Logic Apps . These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control chang es—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a pla ybook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell o r Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integra te orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remedia te active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation r esponse capabilities.

? Internal threat: Modify the access policy settings for the key vault.

? External threat: Modify the Key Vault firewall s ettings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise i s suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration change s at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats , Microsoft recommends hardening Key Vault firewall and networking : restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blo cks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.

In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation is used to run Logic Apps in response to recommendations or alerts . Because your goal is to automatically remediate security risks (which are surfaced as recommendations —secure score items like missing configurations or hardening tasks), the Logic App should be wired to the Recommendation trigger. The workflow automation rule monitors recommendation events and calls your Logic App with the recommendation payload, enabling parameterized remediation. To test the Logic App from within Defender for Cloud, you use the Recommendations blade: open any applicable recommendation and choose the action to run the associated Logic App. This directly invokes LA1 with the correct context (affected resource, subscription, control ID), allowing you to validate inputs, connections, and remediation steps on demand. Options like Automation rules (alerts) or Workflow automation page “Run” aren’t suited for validating recommendation-driven remediation scenarios because they either act on alerts or don’t pass the full recommendation context needed for remediation. Therefore, select the Recommendation trigger and test execution from Recommendations .

Microsoft Sentinel playboo ks can be triggered by different types of events— alerts , incidents , or entities . Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an inc ident trigger .

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger . This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto- closing incidents if they match certain conditions).

? Answer for Question 8: A. a playbook with an incident trigger

? Table: DeviceFileEvents

? Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents , DeviceProcessEvents , and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents . This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typi cal timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters t o show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcess Events focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

In Microsoft Sentinel, Hunting queries are used to proactively search for threats and anomalies across collected security data. The requirement states that HuntingQuery1 must run auto matically when the Hunting page of Microsoft Sentinel is accessed. According to Microsoft’s official Sentinel documentation, this behavior is achieved by adding the hunting query to “Favorites.”

When a query is marked as a favorite in the Sentinel Hunting blade, Sentinel automatically runs it every time the Hunting page is opened. This provides updated results without the need for manual execution, ensuring analysts always see the most current data for that query. This configuration also adheres to the orga nization’s requirement to minimize administrative effort , since it eliminates the need for scheduling, automation, or manual refresh actions.

Other options do not meet this functional requirement:

A. Add to a livestream is used to monitor near-real-time da ta streams, not to auto-run queries upon accessing the Hunting page.

B. Create a watchlist is used for referencing static external data sets (like IPs, users, or devices) inside KQL queries, not for automating hunting query execution.

C. Create an automati on rule applies to incident management workflows, not hunting query execution.

Therefore, as per Microsoft Sentinel’s hunting documentation and best practices, the correct and verified answer is:

D. Add HuntingQuery1 to favorites .

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR) . With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel sch eduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1’s Security log via AMA is to create a DCR , then assign it to Server1 and the Sentinel workspace.

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

? Answer for Question 11: A. Microsoft Sentinel Automation Contributor

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatc hlist( ' < watchlist-name > ' ) , which returns a table with standard columns (including SearchKey ) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist( ' breakglass_account ' )) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requireme nt to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimi zing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist , and join UserPrincipalName to the watchlist’s SearchKey .

The Defender for Cloud requirement states:

“The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory compliance initiatives.”

According t o Microsoft Defender for Cloud’s RBAC documentation, the Security Assessment Contributor role provides permissions to:

Enable and configure Defender plans,

Manage security policies and initiatives,

View and edit recommendations and compliance results.

This role gives enough permissions to perform Defender configuration tasks but follows the principle of least privilege , unlike broader roles like Owner or Contributor, which grant excessive rights.

? Answer for Question 9: C. Security Assessment Contributor

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configurati on.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combine d.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

? Answer for Question 10: C. event grouping

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

? Implement in the identity environment: Azure AD Password Protection

? Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

In Microsoft Sentinel’s Advanced Security Information Model (ASI M) , DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser . To minimize overhead , ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recomme nded pattern is:

Im_Dns(pack= " InfobloxNIOS " )

| where DnsResponseCodeName == " NXDOMAIN "

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXD OMAIN responses for counting DNS request failures from Infoblox1 .

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

? Create the rule of type: Scheduled

? Configure the playbook to include: A trigger

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard , you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP) . This is turned on in the Microsoft Defender Securit y Center under Settings ? Advanced features . When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where la beled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventor y to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

Azure Sentinel “playbooks” are Azure Logic Apps . Granting the minimal permissions to configure (create/edit) playbooks requires the Logic App Contributor role on the resource group where the playbooks reside. This satisfies the business requirement to use least privilege and specifically enables admin1 to design, modify, and manage Logic Apps that Sentinel automation rules or analytics rules will invoke. Roles like Automation Operator or Automation Runbook Operator apply to Azure Automation , not Logic Apps, and therefore don’t allow creating or editing Sentinel playbooks. Azure Sentinel Contributor allows managing Sentinel resources (incidents, analytics rules, workbooks) but, by itself, does not grant permissions to author Logic Apps. Assigning Logic App Contributor provides precisely what is needed to configure Sentinel playbooks without unnecessary broader permissions.

To restrict cloud apps running on CLIENT1 (a Window s 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery . This integration enables th e blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation , Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shado w IT. The relevant steps include:

1? ? Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal ? Settings ? Endpoints ? Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integrat ion

Network protection (in block mode)

Custom network indicators (if applicable) These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2? ? Configure Cloud Discovery settings in Micr osoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an a pp is marked as unsanctioned , Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telem etry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps .

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically dis tant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives , since it may misinterpret legitimate connections as anomalous.

Mi crosoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s off ice IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

? Final Answer for Question 3: D. Impossible travel

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace . Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-min imization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for compr ehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increase s data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities , the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

? Log Analytics workspace to use: LA1

? Windows security events to collect: Common

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension , Defende r for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, en abling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center ? Settings ? Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps ? Settings ? C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security .

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mappe d entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes . Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the secu rity extension , Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft D efender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom inge stion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configur ation is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

? Final Answer for Question 2: C. From Set rule logic, map the entities.

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns , and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modif y the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activi ty from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel .

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1? ? Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2? ? Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3? ? Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4? ? Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

? Final Order:

Provide global administrator credentials ?

Create instance of Microsoft Defender for Identity ?

Provide domain administrator credentials ?

Install the sensor on DC1.

? Log Analytics workspace to use: LA1

? Windo ws security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace , you should select the existing workspace LA1 . Defender for Cloud best practic es recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the l evel of Windows Security Events collected: Minimal , Common , or All Events . The business requirement calls for logs that provide a full audit trail of user activities . In Microsoft guidance, All Events is the level intended for comprehensive auditing (inclu ding logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose Al l Events .

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.