SC-200 Exam Dumps - Microsoft Security Operations Analyst

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security .

Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notific ations when alerts are triggered.

Default alert policies include:

Unusual external user file activity - Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a High severity setting.

Task

Role

Update the data sharing and feedback options

Security Administrator

Investigate Microsoft Sentinel incidents

Microsoft Sentinel Responder

Microsoft Sentinel built-in roles documentation defines:

Microsoft Sentinel Responder – Can view incidents and perform incident response operations such as assigning, changing severity, or closing incidents.

This role grants the ability to investigate and act on incidents , which includes collaboration with Microsoft Copilot for Security to analyze incidents and run queries within Sentinel.

The Microsoft Sentinel Reader role, on the other hand, can only view incidents but cannot investigate or modify them, making it too restrictive.

The Clou d App Security Administrator role is unrelated to Sentinel incident investigation.

Thus, for investigating Sentinel incidents using Copilot for Security, Microsoft Sentinel Responder is the correct and least-privileged role.

✅ Final Verified Answers: Task

Role to Assign

Update the data sharing and feedback options

Security Administrator

Investigate Microsoft Sentinel incidents

Microsoft Sentinel Responder

Security Administrator → Required to configure Copilot for Security settings (data sharing & feedback).

Microsoft Sentinel Responder → Required to actively investigate incidents (least privilege for Sentinel operations).

Summary of Reasoning These align with Microsoft Copilot for Security , Microsoft Sentinel , and Microsoft Entra role-based access contr ol (RBAC) documentation.

To use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity, you should perform the following two actions:

Create an Azure AD Identity Protection connector. This will allow you to monitor suspicious activities in your Azure AD tenant and detect malicious sign-ins.

Create a custom rule based on the Office 3 65 connector templates. This will allow you to monitor and detect anomalous activities in the Microsoft 365 subscription. Reference:  https://docs.microsoft.com/en-us/azure/sentin el/fusion-rules

According to Microsoft Defender for Cloud documentation, continuous export allows you to stream security alerts and recommendations to other monitoring or SIEM systems. When exporting alerts in real time, Azure Event Hubs is the supported mechanism. Event Hubs provides a scalable data-streaming platform that can feed events into third-party SIEM tools such as Splunk, IBM QRadar, or ArcSight. Microsoft states: “To enable real-time stream ing of security alerts or recommendations, configure Continuous Export to Azure Event Hubs. From there, your external SIEM or event processing solution can consume the data.”

The other options serve different purposes:

Azure Cosmos DB is a NoSQL database, not used for alert streaming.

Azure Event Grid is for reactive event-driven automation but not intended for continuous log export.

Azure Data Lake is for large-scale storage and analytics, not streaming.

Thus, exporting Defender alerts to Azure Event Hubs is the correct and supported configuration for continuous export to third-party SIEM solutions.

The core requirement is to customize details included when an alert is created for a specific event. In Microsoft Sentinel, the most effective and granular way to enrich, map, and customize alert fields is by using a Scheduled Query Rule within the Analytics section.

Customization for Microsoft Defender Alerts

Defender for Cloud Data Connector: This connector, categorized as a Microsoft Security rule type, automatically imports alerts and incidents generated by Microsoft Defender for Cloud into the Microsoft Sentinel SecurityAlert table. These imported alerts have a predefined schema and initial set of details.

Customization Limitation: You cannot modify the alert schema or customize the details directly on the Microsoft Defender for Cloud data connector itself (Option A).

Scheduled Query Rule for Enrichment: To customize the alert details, an analyst must run a custom Kusto Query Language (KQL) query against the ingested security alerts (in the SecurityAlert table) or related raw log events. This query is packaged within a Scheduled Query Rule (Option C).

The Role of a Scheduled Query Rule

Scheduled query rules provide the necessary Alert enrichment features to customize alert properties:

Cus tom Details (Surface Custom Event Details): This feature allows an analyst to pull any field from the KQL query result and display it prominently in the resulting Sentinel alert and incident.

Customize Alert Details: This feature allows an analyst to overr ide the default properties of the alert, such as:

Alert Name Format : Dynamically change the alert title to include specific event values (e.g., Alert from {{ProviderName}}: {{AccountName}} failed to sign in to computer {{ComputerName}}).

Alert Description Format : Embed custom messages or specific log data into the description.

AlertSeverity, Tactics, ConfidenceScore, AlertLink , and other key fields: Use values from the query results to set these properties dynamically for each alert instance.

By creating a scheduled query rule that specifically queries the Defender for Cloud alerts and uses KQL to extract or calculate the required custom information, an analyst can then apply the Alert details and Custom details features on the rule ' s Set rule logic tab to meet the customization requirement.

Enable and disable advanced featu res of Microsoft Defender for Cloud: Subscription Owner

Apply security recommendations to a resource: Security Admin

 File1.exe will be blocked on Device3. — No

 User2 will be marked with a risk level of medium. — No

 An investigation package will be collected from Devic e1. — Yes

Custom detection rules in Microsoft Defender XDR are scoped to devices or device groups and only take device-related actions for devices that are in that scope. As the documentation states, “Only data from devices in the scope will be queried. Also, actions are taken only on those devices.” Therefore a rule scoped to DevGroup1 will apply actions only to devices in DevGroup1 (Device1 and Device2); it will not apply to Device3 because Device3 is in DevGroup2. Microsoft Learn

File blocking is a file-level action triggered by the rule, but blocking is applied only where the rule is in scope. Consequently File1.exe will not be blocked on Device3 (out of scope). For the user action, the rule’s Mark user as compromised action explicitly “sets the users risk level to ' high ' in Microsoft Entra ID” — it does not set a medium risk. So the statement that User2 will be marked with risk level medium is incorrect; the document ed outcome is a high risk marking. Microsoft Learn

Finally, device actions include Collect investigation package and these are applied to the DeviceId results when the r ule matches. Because Device1 is in DevGroup1 (in scope) and the rule specifies collecting an investigation package for matching devices, an investigation package will be collected from Device1 when the rule fires. Microsoft Learn

Sources: Official Microsoft Defender XDR documentation for custom detection rules (actions, scope, and user actions). Microsoft Learn