Microsoft SC-200 - Microsoft Security Operations Analyst

Microsoft Sentinel playboo ks can be triggered by different types of events— alerts , incidents , or entities . Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an inc ident trigger .

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger . This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto- closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

The Defender for Cloud requirement states:

“The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory compliance initiatives.”

According t o Microsoft Defender for Cloud’s RBAC documentation, the Security Assessment Contributor role provides permissions to:

Enable and configure Defender plans,

Manage security policies and initiatives,

View and edit recommendations and compliance results.

This role gives enough permissions to perform Defender configuration tasks but follows the principle of least privilege , unlike broader roles like Owner or Contributor, which grant excessive rights.

✅ Answer for Question 9: C. Security Assessment Contributor

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps .

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically dis tant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives , since it may misinterpret legitimate connections as anomalous.

Mi crosoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s off ice IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

✅ Final Answer for Question 3: D. Impossible travel

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard , you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP) . This is turned on in the Microsoft Defender Securit y Center under Settings → Advanced features . When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where la beled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventor y to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns , and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modif y the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activi ty from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel .

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️ ⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️ ⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️ ⃣ Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4️ ⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension , Defende r for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, en abling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mappe d entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes . Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.