Pass the Microsoft Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with CertsForce

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security .

In Microsoft Defender for Endpoint (MDE) , a live response session allows security analysts to remotely connect to onboarded devices and run investigation commands. One of the key commands available is the ability to collect an investigation package , which includes forensic artifacts such as event logs, registry hives, running processes, network connections, and more.

According to Microsoft’s official Defender for Endpoint documentation:

“Advanced live response capabilities, incl uding running scripts and collecting investigation packages, are supported on Windows and Linux devices. macOS devices support basic live response commands only.”

This means that while Windows (Device1 and Device2) and Linux (Device3) devices fully support advanced live response capabilities (including collect investigation_package ), macOS (Device4) devices currently support only a limited subset of commands—basic file and directory operations, without the ability to collect investigation packages.

Therefor e:

Device1 (Windows) → Supported

Device2 (Windows) → Supported

Device3 (Linux) → Supported

Device4 (macOS) → Not supported

✅ Final Answer: B. Device1, Device2, and Device3 only

To ingest custom logs from on-premises servers into Microsoft Sentinel , the logs must first be collected through the L og Analytics workspace that Sentinel is built on. According to Microsoft Sentinel and Azure Monitor documentation, the required steps are:

Install the Log Analytics agent (MMA/OMS agent) on each on-premises Windows Server that will send logs.

This agent securely forwards Windows event logs, performance data, and custom log files to the Log Analytics workspace in Azure Monitor.

Although Azure Monitor Agent (AMA) is the newer option, custom log collection is still supported primarily via the Log Analytics a gent until full parity is achieved.

The Microsoft Dependency agent is used only for service map and dependency data, not for log ingestion.

The Azure Connected Machine agent (for Azure Arc) can onboard machines for management but does not directly handle c ustom log configuration for Sentinel.

Configure custom log ingestion by defining custom log collection rules in the Log Analytics workspace settings .

In Sentinel, navigate to the underlying workspace → Advanced settings → Data → Custom Logs to define the log format, file path, and collection parameters.

The custom log configuration is always managed at the workspace level , since Sentinel queries data from the connected workspace’s tables.

Other options, like the Data connectors page or Logs blade of Sentin el, are used for connecting integrated services or for querying data, not for defining custom ingestion sources.

Therefore, based on official Microsoft Defender XDR and Sentinel integration guidance, the correct configuration steps are:

✅ On the servers, i nstall the: Log Analytics agent

✅ Configure custom log settings by using the: Log Analytics workspace settings of Microsoft Sentinel

 Table: DeviceFileEvents

 Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents , DeviceProcessEvents , and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents . This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typi cal timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters t o show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcess Events focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

In Microsoft 365 Defender , the Collect investigation package action allows a security analyst to remotely gather forensic evidence (logs, running processes, network info, registry data, etc.) from a device for deeper analysis.

This capability is supported on both Wind ows and Linux devices onboarded to Microsoft Defender for Endpoint.

The other options serve different purposes:

Run antivirus scan: triggers a malware scan, not evidence collection.

Initiate Automated Investigation: starts automated threat response but not direct evidence collection.

Initiate Live Response Session: opens an interactive session, but the question specifically asks for package collection via the portal.

✅ Correct Answer: C. Collect investigation package

Explanation (concise ): In Azure Security Center / Microsoft Defender for Cloud , the correct workflow to see recommendations for resolving a specific alert is: open Security alerts , select the alert, choose Take action , and expand Mitigate the threat to view remediation guidance. This meets the stated goal.

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel and collect Active Directory Domain Services (AD DS) security events, the integration relies on Microsoft Defender for Identity (MDI) . Defender for Identity monitors on-premises domain controllers and provides deep identity-based telemetry that Sentinel consumes for behavioral analytics and threat detection.

Here’s the correct sequence explained step-by-step:

Deploy Microsoft Defender for Identity on the AD DS domain

Defender for Identity sensors must be installed on each domain controller (or dedicated server) in your on-premises AD DS environment.

This step enables continuous monitoring of AD activities like logons, Kerberos authentications, and LDAP queries.

Microsoft documentation states:

“To collect and analyze AD DS activities for UEBA, deploy Microsoft Defender for Identity sensors in your domain controllers.”

Configure the Microsoft Defender for Identity connector in Microsoft Sentinel

In the Sentinel workspace (Sentinel1), go to Data connectors → Microsoft Defender for Identity → Connect .

This connector ingests identity-related alerts and telemetry from Defender for Identity into Sentinel’s Log Analytics workspace.

It allows Sentinel to correlate identity-based security data with other sources for threat detection and investigation.

Enable UEBA in Microsoft Sentinel

After integrating MDI, enable UEBA in Sentinel’s configuration settings.

UEBA uses identit y data (from MDI and Azure AD) and other logs to build behavioral baselines and detect anomalies such as lateral movement or privilege escalation.

Microsoft documentation notes:

“To start analyzing user and entity behaviors, enable UEBA after connecting id entity data sources such as Defender for Identity.”

Other actions listed (such as using legacy connectors or Windows Event Forwarding) are outdated or unnecessary when using MDI and Sentinel’s built-in connectors.

Roles in Microsoft Sentinel are designed for least privilege. The Azure Sentinel Responder role allows analysts to view, assign, update, and dismiss incidents , change status/severity, and add comments—exactly the actions a Tier-1/Tier-2 analyst needs for day-to-day triage. Azure Sentinel Reader is view-only and cannot change incident state. Azure Sentinel Contributor is broader than needed (it includes creating/editing analytics rules and other configuration). Logic App Contributor pertains to playbook authoring, not incident handling. Therefore, to let a new analyst assign and dismiss incidents while honoring least privilege, assign Azure Sentinel Responder .

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents : =

To monitor Linux virtual machines in AWS using Azure Defender (Microsoft Defender for Cloud) , you must onboard those VMs into Azure’s management plane. The recommended and supported approach is via Azure Arc .

Azure Arc enables Azure Defender to extend its security monitoring and policies to non-A zure machines (including AWS and on-premises). Once onboarded through Azure Arc, the Log Analytics agent (MMA/AMA) can be automatically provisioned, allowing Defender for Cloud to collect and analyze security data.

Microsoft documentation states:

“To monit or machines outside Azure (on-premises or in other clouds like AWS or GCP), onboard them to Azure using Azure Arc. Azure Defender will then auto-provision the required agent and begin monitoring.”

Thus, enabling Azure Arc and onboarding the AWS VMs meets t he goal .

✅ Correct answer: A. Yes

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall s ettings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise i s suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration change s at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats , Microsoft recommends hardening Key Vault firewall and networking : restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blo cks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.