Microsoft SC-200 - Microsoft Security Operations Analyst

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

According to Microsoft Sentinel and Azure Monitor Agent (AMA) documentation, when configuring data collection from Windows Security logs, you can use XPath filtering to limit which event IDs are collected. This hel ps optimize data ingestion by filtering out unnecessary events.

In this scenario, the requirement is to collect only event IDs 4624 (successful sign-in) and 4625 (failed sign-in) . The PowerShell cmdlet Get-WinEvent supports several filtering methods: -Filt erXPath , -FilterHashtable , and -FilterXml . To test the same XPath syntax used by the connector, you must use -FilterXPath , because this option accepts the same XPath query string format as used in the AMA data collection rule (DCR).

The correct XPath synta x for filtering specific event IDs from the Security log is:

Security!*[System[(EventID=4624 or EventID=4625)]]

This expression instructs the event query to return only events from the Security log whose EventID equals 4624 or 4625.

Finally, to validate th e filter, you run:

Get-WinEvent -LogName ' Security ' -FilterXPath $events

This command executes the filter locally and confirms that the syntax correctly retrieves the intended events.

Therefore, the correct completed script is:

✅ $events = ' Security!*[Syst em[(EventID=4624 or EventID=4625)]] '

✅ Get-WinEvent -LogName ' Security ' -FilterXPath $events

Microsoft Sentinel UEBA (U ser and Entity Behavior Analytics) focuses on users and hosts (devices) and enriches data with contextual information.

When enabling UEBA with Audit logs and Signin logs , the only entities supported for investigation are:

User accounts (email addresses)

Ho sts or devices (including IP addresses)

Other values like App name , Used client app , and Sign-in URL are attributes in log data but not tracked entities in UEBA investigations.

✅ Answer: B. IP address and email address only

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

According to Microsoft Sentinel documentation, Hunting is a proactive feature that allows analysts to query raw security data for indicators of compromise (IoCs), suspicious patterns, and potential threats. When an analyst needs to query for suspicious credential acces s activities , they should use the Hunting page in the Microsoft Sentinel portal.

The correct sequence is as follows:

From Azure Sentinel, select Hunting. This step opens the Hunting dashboard, which provides access to all prebuilt and custom hunting querie s. Each query corresponds to specific tactics and techniques aligned with the MITRE ATT & CK framework .

Filter by tactics. Since the goal is to find suspicious credential access , you should filter the hunting queries by the Credential Access tactic. This nar rows the view to only the queries related to credential theft or misuse activities.

Select Run All Queries. Once filtered, running all relevant hunting queries executes them against your connected data sources (e.g., Defender for Endpoint, Azure AD logs, e tc.) to identify suspicious credential activity patterns.

Why not the other options?

Select New Query is used to create a custom hunting query, not to search existing suspicious credential access detections.

From Azure Sentinel, select Notebooks is for adv anced visualization and correlation using Jupyter, not for tactical hunting queries.

Final Correct Sequence:

➡️ From Azure Sentinel, select Hunting

➡️ Filter by tactics

➡️ Select Run All Queries

In this scenario, App1 is a custom web app published through Microsoft Entra Application Proxy and authenticated using Active Directory Domain Services (AD DS) . Because it’s integrated with Microsoft Entra ID (formerly Azure AD) for access control, the most appropriate and supported way to require MFA for users accessing the application is through Conditional Access .

Microsoft Entra Conditional Access policies evaluate user sign-in conditions such as risk level, device compliance, location, and sensitivity of data before granting access. Specificall y, Microsoft’s documentation states:

“Conditional Access policies allow administrators to require multi-factor authentication, block access, or enforce specific controls such as app protection or session policies for cloud and on-premises applications inte grated with Microsoft Entra ID.”

Therefore, to make MFA mandatory for users accessing App1, a Conditional Access policy must be created targeting that application.

For the second part, to implement a session policy that controls or monitors user behavior (such as downloading highly confidential documents), the correct choice is Microsoft Defender for Cloud Apps (MDA) . Microsoft’s official guidance says:

“Session policies in Microsoft Defender for Cloud Apps provide real-time session controls that enable ad ministrators to monitor and restrict user activity in cloud apps, including download, cut/copy, and upload actions based on sensitivity labels or user risk.”

These session policies integrate seamlessly with Conditional Access via the “Use Conditional Acces s App Control” setting to apply continuous access evaluation during a user’s session.

Hence, the correct verified configuration is:

Require MFA: Conditional Access

Implement session policy: Microsoft Defender for Cloud Apps

To create a query in Microsoft Sentinel (using Kusto Query Language – KQL) that displays the number of daily security alerts over the last 30 days in a timechart , you need to:

Filter the dataset ( SecurityAlert ) to include only alerts generated in the last 30 days.

Aggregate the number of alerts per provider per day using summarize .

Group those alerts into daily time buckets using bin(TimeGenerated, 1d) .

Render the output visually with a timechart.

The correct query structure is:

SecurityAlert

| where TimeGenerated > = ago(30d)

| summarize count() by ProviderName, bin(TimeGenerated, 1d)

| render timechart

summarize → Used to aggregate or count data (e.g., total alerts) by specified fields. In this case, it’s needed to count alerts per provider and per day.

bin → Used to group time-based data into evenly spaced intervals (1 day here) for trend visualization. It aligns timestamps to a fixed period boundary (daily).

lookup → Used to enrich data from another table, not aggregation.

project → Used to select specific columns, not to count or group.

make-series → Also used for time-series data but more suited for generating continuous series (useful for missing data handling). Here, bin is simpler and sufficient.

range → Used to create a sequence of numbers or times manually, not for aggregation.

Explanation of the Correct Options: Why not the other options:

✅ Final Query Answer:

SecurityAlert

| where TimeGenerated > = ago(30d)

| summarize count() by ProviderName, bin(TimeGenerated, 1d)

| render timechart

In Microsoft Defender for Endpoint (Plan 2), you can use indicator file hashes (IoC file hashes) to block files f rom executing or being downloaded. When you create a file hash indicator, you specify the exact file hash (for example, SHA-256 or MD5) and choose actions such as “block” or “remediate.”

However, an important detail is that file hash indicators are applied to specific files —that is, for a given executable or file content. You cannot use a hash indicator to block all files of a certain extension generically. If a given file has a different hash, it will not be blocked unless you add its specific hash. Becaus e the question says you found suspected malware files sys , pdf , docx , xlsx , and you need to block users from downloading those files, only those files for which you can compute and apply a specific hash indicator can be blocked. The question implies you ca n create indicator hashes for each of those file names (assuming each has a unique hash).

Thus you can block all four (File1.sys, File2.pdf, File3.docx, File4.xlsx) by adding each as an indicator hash. The choice E lists all four. That is consistent with M icrosoft’s statements that “you can create indicators that define detection, prevention, or exclusion of entities,” and file hash indicators specifically apply to those files. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

Options that exclude some file types (e.g. only blocking sys and docx but not pdf or xlsx) would leave gaps, which doesn’t satisfy the requirement of blocking all those suspected files. Hence E is the correct answer.

Box 1: AzureActivity

The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

Box 2: autocluster()

Example: description: |

' Listing of storage keys is an interesting operation in Azure which might expose additional

secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this

type, it would be interesting to see if the account performing this activity or th e source IP address from

which it is being done is anomalous.

The query below generates known clusters of ip address per caller, notice that users which only had single

operations do not appear in this list as we cannot learn from it their normal act ivity (only based on a single

event). The activities for listing storage account keys is correlated with this learned

clusters of expected activities and activity which is not expected is returned. '

AzureActivity

| where OperationNameValue =~ " mic rosoft.storage/storageaccounts/listkeys/action "

| where ActivityStatusValue == " Succeeded "

| join kind= inner (

AzureActivity

| where OperationNameValue =~ " microsoft.storage/storageaccounts/listkeys/action "

| where ActivityStatusValu e == " Succeeded "

| project ExpectedIpAddress=CallerIpAddress, Caller

| evaluate autocluster()

) on Caller

| where CallerIpAddress != ExpectedIpAddress

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress

| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress