SC-200 Microsoft Security Operations Analyst Question and Answers

In Microsoft Sentinel (and Azure Monito r Logs), when you create a custom parser , it must output a consistent schema from a KQL query that only transforms or reshapes data. The query cannot include commands that control presentation, sorting, or time filtering logic such as sort by , take , or exp licit where TimeGenerated > ago() . These constructs are valid in ad-hoc queries and hunting scenarios but not supported inside parser definitions because parsers are designed to provide reusable, schema-consistent structured data for analytics, detection r ules, and normalization.

In the provided example, line 5 uses:

sort by TimeGenerated desc nulls last

Sorting is purely a presentation operation and is not allowed within a parser definition. A parser should only manipulate and project columns (for example, project , extend , parse , etc.) but should not include sort , limit , or take clauses.

Other lines serve valid data filtering and shaping purposes:

Line 2 filters the time range ( TimeGenerated > ago(7d) ), which can remain for a specific scenario setup.

Line 3 applies a valid operation filter ( where Operation contains " delete " ).

Line 4 projects relevant fields.

Therefore, to prepare this query for inclusion in a custom parser, you must remove line 5 , the sort by command, ensuring the parser complies with Sentin el’s parser syntax and execution engine requirements.

Hence, the correct answer is C. Remove line 5 .

In Microsoft Defender for Identity , false positives can occur due to legitimate administrative activities or benign network behavior. To minimize investigation effort, Microsoft recommends reviewing the Resolution Method field associated with the alert’s source computer .

The Resolution Method indi cates how Defender for Identity classified or resolved the source computer’s identity—whether through secure channel (Kerberos/NTLM) , DNS resolution , or other identification techniques . If the method is unreliable (e.g., based on DNS name only), it may cau se inaccurate correlations that trigger false positives .

By verifying the Resolution Method , analysts can quickly determine whether an alert was raised due to weak identity mapping or misattribution. Microsoft’s official documentation states that reviewing the Resolution Method “helps analysts understand how the entity was resolved and assess whether the detection could be a false positive.”

Hence, to reduce the time spent on false positives, the most relevant data point to review is the Resolution Method of the source computer — Answer: D .

To enable Microsoft Defender for Servers on AWS virtual machines , you must first connect the AWS environment to Microsoft Defender for Cloud and then enable auto-provisioning of the required agents.

Configure the AWS connector – establishes the secure integration between your AWS account and Microsoft Defender for Cloud. It allows Defender for Cloud to discover AWS EC2 instances and workloads.

Configure auto-provisioning – automatically installs the required agents (Defender for Endpoint or Log Analytics agent / AMA, depending on the plan) on all discovered instances, enabling full Defender for Server s protection.

Other options:

A. Agentless scanning – optional for vulnerability assessment, not required for initial onboarding.

B. Azure VM agent – used only for Azure VMs, not AWS.

C. Onboard to Defender for Endpoint – happens automatically after Defender for Servers is enabled.

✅ Correct Answers: D and E

To create a query in Microsoft Sentinel (using Kusto Query Language – KQL) that displays the number of daily security alerts over the last 30 days in a timechart , you need to:

Filter the dataset ( SecurityAlert ) to include only alerts generated in the last 30 days.

Aggregate the number of alerts per provider per day using summarize .

Group those alerts into daily time buckets using bin(TimeGenerated, 1d) .

Render the output visually with a timechart.

The correct query structure is:

SecurityAlert

| where TimeGenerated > = ago(30d)

| summarize count() by ProviderName, bin(TimeGenerated, 1d)

| render timechart

summarize → Used to aggregate or count data (e.g., total alerts) by specified fields. In this case, it’s needed to count alerts per provider and per day.

bin → Used to group time-based data into evenly spaced intervals (1 day here) for trend visualization. It aligns timestamps to a fixed period boundary (daily).

lookup → Used to enrich data from another table, not aggregation.

project → Used to select specific columns, not to count or group.

make-series → Also used for time-series data but more suited for generating continuous series (useful for missing data handling). Here, bin is simpler and sufficient.

range → Used to create a sequence of numbers or times manually, not for aggregation.

Explanation of the Correct Options: Why not the other options:

✅ Final Query Answer:

SecurityAlert

| where TimeGenerated > = ago(30d)

| summarize count() by ProviderName, bin(TimeGenerated, 1d)

| render timechart

In Microsoft 365 Security and Compliance (now part of Microsoft Purview), Data Loss P revention (DLP) policies use Sensitive Information Types (SITs) to detect confidential data. These SITs rely on a combination of methods—primarily regular expressions (RegEx) , keyword dictionaries, and validation checks—to identify patterns such as credit card numbers, national IDs, or custom formats.

Since the scenario specifies that customer account numbers are 32-character alphanumeric strings (not a predefined sensitive type in Microsoft 365), the appropriate detection mechanism is to create a custom Se nsitive Information Type using RegEx pattern matching . Microsoft documentation explicitly states:

“You can create custom sensitive information types that use a regular expression to define your own pattern for detecting sensitive data.”

Using RegEx, you can define a pattern such as [A-Za-z0-9]{32} to match exactly 32 alphanumeric characters. SharePoint search (A) cannot perform sensitivity classification, hunting queries (B) are for threat detection, and Azure Information Protection (C) applies labels aft er data is classified. Therefore, RegEx pattern matching is the correct choice to detect sensitive documents in this case.

Mi crosoft Defender for Cloud provides multiple specialized Defender plans to protect different layers of your environment.

Microsoft Defender for DevOps helps identify vulnerabilities in source code , exposed secrets , and insecure dependencies by integrating with CI/CD systems like GitHub and Azure DevOps. It scans repositories for known vulnerabilities (CVEs), weak configurations, and exposed credentials before code is deployed. This directly addresses the risks:

Vulnerabilities within application source code

Exposed secrets

Microsoft Defender for Resource Manager protects the Azure control plane and monitors management operations to detect threats such as deployment of malicious templates , exploitation toolkits in IaC (Infrastructure as Code) , and operations from malicious IP addresses . It provides alerts when suspicious control-plane actions occur, for example, unexpected activity via ARM or Terraform. This covers:

Exploitation toolkits in declarative templates

Operations from malicious IP addresses

Together, these two Defender plans (Defender for DevOps + Defender for Resource Manager) mitigate all four risks listed in the question.

✅ Correct answers: B. Microsoft Defender for Resource Manager and D. Microsoft Defender for DevOps

Microsoft Defender for DevOps integrates security analysis directly into CI/CD pipelines such as Azure Pipelines , GitHub Actions , and others. To enable secret scanning (and other code security checks) during the execution of a pipeline in Azure DevOps , the correct integration is through the Microsoft Security DevOps (MSDO) extension — not the older Microsoft Security Code Analysis (MSCA) extension.

Step 1: Install the Microsoft Security DevOps extension Microsoft documentation (Defender for Cloud → Defender for DevOps integration guide) clearly states that:

“To enable scanning and policy enforcement for Azure DevOps pipelines, install the Microsoft Security DevOps extension from the Azure DevOps Marketplace. This extension integrates with Microsoft Defender for Cloud to perform security scans, including secret detection, infrastructure-as-code analysis, and dependency vulnerability checks.”

The older Microsoft Security Code Analysis (MSCA) extension has been superseded by Microsoft Security DevOps , which provides broader coverage and native Defender for Cloud integration.

Step 2: Add the MSDO scanner steps to the YAML pipeline After installing the extension, you must modify the pipeline definition (YAML) to add MSDO scanning steps .

The syntax typically looks like this:

steps:

- task: MicrosoftSecurityDevOps@1

displayName: ' Run Microsoft Security DevO ps '

This step runs all configured scans (including secret scanning) automatically each time the pipeline runs. You add it under the steps section because it represents a specific task in the pipeline workflow.

✅ Final Answers:

Install: The Microsoft Security DevOps extension

Add: Steps

In Microsoft Sentinel workbooks , when you want to display query results in a tabular format and visually emphasize numeric values through color intensity (such as counts or frequencies), you use the Grid visualization type combined with the Heatmap column renderer .

In this scenario, the query aggregates failed sign-in events from SigninLogs and AADNonInteractiveUserSignInLogs , summar izing them by ErrorCode , FailureReason , and Category with a calculated count ( errCount ). The errCount column holds numeric data that indicates how many times each unique failure pattern occurred.

To visually represent the severity or frequency of these cou nts, you configure:

Visualization = Grid — Displays tabular data in a workbook. It’s the standard view type for showing multiple columns of query output (such as error codes and counts).

Column renderer = Heatmap — Applies a gradient color scheme to the se lected numeric column ( errCount ) so that higher values are highlighted with darker or more intense colors, making patterns or anomalies easier to spot.

Microsoft Sentinel workbook documentation explains:

“Heatmap rendering can be applied to numerical colum ns in Grid visualizations to provide color-coded representation of value ranges.”

Alternative renderers like Text or Big number do not provide dynamic color intensity, and Thresholds are used for conditional formatting rather than continuous color gradient s.

✅ Final configuration:

Visualization: Grid

Column renderer: Heatmap

Microsoft Sentinel uses the Advanced Security Information Model (ASIM) to normalize logs into a consistent schema, enabling unified queries, analytics rules, and hunting queries across multiple data sources.

Each ASIM function has a structured parser hierarchy , typically consisting of:

A master (or orchestrator) parser , which aggregates and calls all source-specific parsers.

Source-specific parsers , which map raw data from each data source (like Windows SecurityEvents, Sysmon, or custom logs) to the ASIM schema fields.

In the case of ProcessCreate events:

_Im_ProcessCreate is the master parser . Its role is to call all ProcessCreate parsers , including both built-in and custom ones (for example, imProcessCreate , vimProcessCreate , or other vendor-specific parsers).

Parsers like imProcessCreate (for native sources) and vimProcessCr eate (for custom or vendor-specific sources) are source-specific parsers . They are responsible for standardizing and mapping raw fields into the ASIM Process schema , ensuring consistent naming such as ActorProcessName , TargetProcessName , and TargetProcessC ommandLine .

Based on Microsoft’s ASIM documentation: “The _Im_ functions are orchestrators that call all source-specific parsers. Each im or vim parser converts native data into the ASIM schema for its respective source.”

Therefore:

To call all ProcessCrea te parsers , modify _Im_ProcessCreate .

To standardize fields to the Process schema , modify vimProcessCreate (the new source-specific parser you created).

✅ Final Answers:

Call all the ProcessCreate parsers: _Im_ProcessCreate

Standardize fields to the Proces s schema: vimProcessCreate

To automatically send a Microsoft Teams message when an incident (like a sign-in risk) is activated, you mus t use Logic Apps playbooks in Microsoft Sentinel.

Steps based on Microsoft documentation:

Add (create) a playbook (Option D) — a Logic App workflow that defines the automation (e.g., post a message to a Teams channel).

Associate the playbook to the analyti cs rule (Option B) that generates the incident — this ensures the playbook triggers automatically whenever that rule fires.

Other options do not accomplish the goal:

Entity behavior analytics (A) provides user and entity context but does not automate actions.

Fusion rule (C) correlates multi-stage attacks automatically but isn’t used to trigger notifications.

Workbooks (E) are for visualization, not automation.

✅ Final Answers:

Question 80: D. Assign the incident

Question 83: B and D

Automated Investigation and Response (AIR ) automates investigation and remediation actions for alerts that Defender already detects: it triages alerts, runs investigation playbooks, and can execute remediation (quarantine files, terminate processes, remove persistence) based on the investigation outcome. AIR is powerful for reducing analyst load and quickly remediating detected threats. However, AIR only runs in response to detections/alerts it receives—if the third-party AV completely misses an artifact and no EDR/behavioral detection generates a n alert, AIR will not be triggered. In contrast, EDR in block mode is specifically built to catch post-breach detections that the primary AV missed and to remediate them. Therefore, enabling AIR alone does not guarantee protection from artifacts missed by the third-party antivirus; AIR helps remediate once a detection exists but does not itself create the missed detection coverage that EDR in block mode provides.

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud controls inbound traffic to virtual machines, reducing exposure to attacks. Microsoft’s guidance allows JIT policies to be centrally configured and applied automatically across a resource group using Azure Policy , which provides the lowest administrative overhead.

To meet the requir ements:

Limit request time to two hours: Defender for Cloud JIT policy allows defining a maximum allowed access duration per request.

Limit protocol to RDP only: The JIT configuration can restrict the protocol and port (TCP/3389 for RDP).

Minimize administrative effort: Azure Policy can automatically enforce this configuration for all VMs in RG1 without manually setting up each VM.

Other options are less suitable:

A. PIM controls user privileges, not network access.

C. Azure Front Door handles web application traffic.

D. Azure Bastion provides secure RDP/SSH via portal but doesn’t manage just-in-time network policies.

✅ Correct Answer: B. Azure Policy

In Microsoft Sentinel , to automatically generate incidents when a specific pattern or behavior is detected by a query, you must create a scheduled analytics rule .

A scheduled query rule :

Runs a KQL query on a defined schedule (e.g., every hour).

Triggers an alert and incident when the query returns results.

Can map detections to MITRE ATT & CK tactics and techniques , aligning with the requirement for attack vector mapping.

Other options explained:

Fusion rule – Uses built-in machine learning for correlation, not custom KQL logic.

Query bookmark – Saves hunting results but does not trigger incidents.

Hunting livestream session – Used for live monitoring, not alert generation.

✅ Correct answer: C. a scheduled query rule

To view incidents across multiple Sentinel workspaces (5 0 in this case) , the central view is provided from the Microsoft Sentinel page in the Azure portal.

This page provides a multi-workspace incident view , allowing SOC analysts to see all incidents across all connected workspaces without switching manually.

M icrosoft Sentinel – Incidents → shows incidents from a single workspace only.

Microsoft Sentinel – Workbooks → used for analytics visualization.

Log Analytics workspaces → only for log storage and queries, not consolidated incident management.

✅ Correct Answer: C. Microsoft Sentinel

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard , you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP) . This is turned on in the Microsoft Defender Securit y Center under Settings → Advanced features . When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where la beled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventor y to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

When you initiate the Collect Investigation Package action on a device in Microsoft Defender for Endpoint, the package includes many forensic artifacts that help you trace file usage, process execution, and system behavior. Among those artifacts are prefetch files . Prefetch files record metadata about which executables were run and when, and can provide first/last execution timestamps. Whizlabs+2InfoSec Write-ups+2

Specifically, Microsoft documents (e.g. Respond-machine alerts) describe that the investigation package contains folders such as Autoruns, Processes, Scheduled tasks, Security event log, Users and Groups, Prefetch files , among others. InfoSec Write-ups+2Whizlabs+2 Among those, the Prefetch files are the best source to determine the first and last run time of a given executable (like File1.exe). Other artifacts (process history, event logs) might also show execution events, but prefetch is the artifact designed for showing executable run metadata and is most commonly used for that purpose in forensic investigations. InfoSec Write-ups+2ExamTopics+2

Because the question specifically asks “first and last time File1.exe was executed,” reviewing Prefetch files in the investigation pa ckage is the correct approach.

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mappe d entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes . Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the secu rity extension , Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft D efender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom inge stion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configur ation is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension , Defende r for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, en abling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

Azure Sentinel “playbooks” are Azure Logic Apps . Granting the minimal permissions to configure (create/edit) playbooks requires the Logic App Contributor role on the resource group where the playbooks reside. This satisfies the business requirement to use least privilege and specifically enables admin1 to design, modify, and manage Logic Apps that Sentinel automation rules or analytics rules will invoke. Roles like Automation Operator or Automation Runbook Operator apply to Azure Automation , not Logic Apps, and therefore don’t allow creating or editing Sentinel playbooks. Azure Sentinel Contributor allows managing Sentinel resources (incidents, analytics rules, workbooks) but, by itself, does not grant permissions to author Logic Apps. Assigning Logic App Contributor provides precisely what is needed to configure Sentinel playbooks without unnecessary broader permissions.

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

To restrict cloud apps running on CLIENT1 (a Window s 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery . This integration enables th e blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation , Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shado w IT. The relevant steps include:

1️ ⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integrat ion

Network protection (in block mode)

Custom network indicators (if applicable) These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️ ⃣ Configure Cloud Discovery settings in Micr osoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an a pp is marked as unsanctioned , Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telem etry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

ï‚· Log Analytics workspace to use: LA1

ï‚· Windo ws security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace , you should select the existing workspace LA1 . Defender for Cloud best practic es recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the l evel of Windows Security Events collected: Minimal , Common , or All Events . The business requirement calls for logs that provide a full audit trail of user activities . In Microsoft guidance, All Events is the level intended for comprehensive auditing (inclu ding logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose Al l Events .

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security .

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

The Defender for Cloud requirement states:

“The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory compliance initiatives.”

According t o Microsoft Defender for Cloud’s RBAC documentation, the Security Assessment Contributor role provides permissions to:

Enable and configure Defender plans,

Manage security policies and initiatives,

View and edit recommendations and compliance results.

This role gives enough permissions to perform Defender configuration tasks but follows the principle of least privilege , unlike broader roles like Owner or Contributor, which grant excessive rights.

✅ Answer for Question 9: C. Security Assessment Contributor

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR) . With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel sch eduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1’s Security log via AMA is to create a DCR , then assign it to Server1 and the Sentinel workspace.

In Microsoft Sentinel’s Advanced Security Information Model (ASI M) , DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser . To minimize overhead , ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recomme nded pattern is:

Im_Dns(pack= " InfobloxNIOS " )

| where DnsResponseCodeName == " NXDOMAIN "

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXD OMAIN responses for counting DNS request failures from Infoblox1 .

Microsoft Sentinel playboo ks can be triggered by different types of events— alerts , incidents , or entities . Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an inc ident trigger .

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger . This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto- closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configurati on.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combine d.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

✅ Answer for Question 10: C. event grouping

In Microsoft Sentinel, Hunting queries are used to proactively search for threats and anomalies across collected security data. The requirement states that HuntingQuery1 must run auto matically when the Hunting page of Microsoft Sentinel is accessed. According to Microsoft’s official Sentinel documentation, this behavior is achieved by adding the hunting query to “Favorites.”

When a query is marked as a favorite in the Sentinel Hunting blade, Sentinel automatically runs it every time the Hunting page is opened. This provides updated results without the need for manual execution, ensuring analysts always see the most current data for that query. This configuration also adheres to the orga nization’s requirement to minimize administrative effort , since it eliminates the need for scheduling, automation, or manual refresh actions.

Other options do not meet this functional requirement:

A. Add to a livestream is used to monitor near-real-time da ta streams, not to auto-run queries upon accessing the Hunting page.

B. Create a watchlist is used for referencing static external data sets (like IPs, users, or devices) inside KQL queries, not for automating hunting query execution.

C. Create an automati on rule applies to incident management workflows, not hunting query execution.

Therefore, as per Microsoft Sentinel’s hunting documentation and best practices, the correct and verified answer is:

D. Add HuntingQuery1 to favorites .

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatc hlist( ' < watchlist-name > ' ) , which returns a table with standard columns (including SearchKey ) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist( ' breakglass_account ' )) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requireme nt to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimi zing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist , and join UserPrincipalName to the watchlist’s SearchKey .

As outlined in Microsoft’s official Defender for Of fice 365 documentation, this service provides comprehensive protection against threats targeting Microsoft 365 collaboration tools—such as SharePoint Online , OneDrive for Business , and Microsoft Teams . The marketing team uses SharePoint Online for vendor c ollabora tion and has experienced incidents in which vendors uploaded malicious files. Microsoft Defender for Office 365 specifically addresses this scenario through features like Safe Attachments and Safe Links , which automatically scan uploaded or shared files for malware and block access to harmful content.

When a vendor uploads a file to SharePoint Online, Defender for Office 365 inspects the file in real time within a virtual sandbox environment before allowing users to open or share it. If malware is d etected, the system quarantines or removes the file and notifies administrators. These detection and remediation capabilities prevent infection propagation, protect sensitive marketing data, and maintain compliance with Contoso’s security posture.

By leveraging Defender for Office 365, Contoso’s marketing team can continue external collaboration safely, ensuring that all uploaded files are scanned and validated before internal access—thereby resolving their specific malware-related issue.

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS —against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the te am to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect mali cious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This direct ly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolve d using Microsoft Defender for Endpoint .

ï‚· Table: DeviceFileEvents

ï‚· Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents , DeviceProcessEvents , and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents . This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typi cal timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters t o show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcess Events focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

ï‚· Internal threat: Modify the access policy settings for the key vault.

ï‚· External threat: Modify the Key Vault firewall s ettings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise i s suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration change s at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats , Microsoft recommends hardening Key Vault firewall and networking : restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blo cks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks , which are workflows built on Azure Logic Apps . These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control chang es—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a pla ybook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell o r Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integra te orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remedia te active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation r esponse capabilities.

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace . To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’ s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace( ' Fabrikam-WS ' ).SecurityEvent, workspace( ' Contoso-WS ' ).SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrik am needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

When User and Entity Behavior Analytics (UEBA) is enabled in Microsoft Sentinel, it automatically monitors Azure AD Sign-in Logs and provides activity templates for detecting common risky behaviors, such as failed sign-in attempts , impossible travel , or infrequent country logins .

To detect faile d interactive sign-ins with minimal administrative effort , you can simply enable the UEBA activity template for sign-in failures rather than building a custom scheduled alert or hunting query.

✅ Answer: B. a UEBA activity template

In Microsoft Defender XDR hunting, EmailAttachmentInfo includes metadata for received attachments (name, subject, and the file’s SHA256 ), while DeviceFileEvents records file operations on endpoints (open/read/execute) and also carries the SHA256 hash. Microsoft’s guidance for efficient joins in KQL recommends correlating artifacts using stable, high-cardinality identifiers (hashes) rather than paths or URLs, becau se paths can change and URLs may not be preserved on disk; hashes uniquely identify the same file across mail and endpoint telemetry. To minimize query resources , Kusto’s join kind=innerunique is preferred when the left side (EmailAttachmentInfo) is expect ed to have unique keys (one attachment hash per message instance) and you want at most one match per left record. It reduces shuffle/duplication compared to inner , improving performance while returning only devices that actually opened the same file (by ma tching SHA256 ) within the last 12 hours.

So the optimal query structure is:

EmailAttachmentInfo

| where Timestamp > ago(12h)

| where Subject == " Document Attachment " and FileName == " File1.pdf "

| join kind=innerunique

(DeviceFileEvents | where Timestamp > ago(12h))

on SHA256

This precisely identifies devices that received the email with File1.pdf and opened that same file, using the most efficient join strategy and a reliable correlation key.

Microsoft 365 Copilot for Security uses Security Compute Units (SCUs) to determine available processing capacity for AI-driven operations. Each SCU represents a fixed amount of comp ute resources for handling Copilot for Security prompts and plugin interactions (like Sentinel).

When a notification appears stating that “SCU usage is nearing the provisioned capacity limit,” it means that the organization’s current SCU allocation is insu fficient for ongoing demand. To restore full response functionality, the tenant admin (or authorized role) must increase the number of provisioned SCUs .

Microsoft documentation states:

“If Copilot for Security indicates that requests cannot be processed du e to SCU capacity, increase your provisioned SCUs in the Microsoft 365 admin center or Azure portal to meet demand.”

The other options do not resolve the issue:

Opening a second session does not add capacity.

Waiting does not guarantee SCU availability.

The Optimization Workbook relates to Sentinel performance, not Copilot SCU allocation.

✅ Answer: D. Update the provisioned SCUs

Azure Sentinel (now Microsoft Sentinel) is enabled per Log Analytics workspace . Each workspace opera tes independently; analytics rules in one Sentinel workspace cannot directly query another workspace’s data unless Sentinel is also enabled there.

To use scheduled analytics rules against data in the LogsWest workspace, you must first add Microsoft Sentinel to that workspace . After Sentinel is enabled on LogsWest, you can create or connect analytics rules that query its data. You cannot simply modify workspace settings or connect data across regions without enabling Sentinel for the target workspace.

In Azure Security Center (now part of Microsoft Defender for Cloud ), when you receive a security alert, you can investigate it to understand the cause, impact, and resolution recommendations.

The workflow described in the question aligns precisely with Microsoft’s documented process for investigating alerts.

From the Security alerts page:

You select the specific alert to open the alert details pane.

Choose Take Action to view remediation options and recommended next steps.

Expand the Prevent future attacks section — this section provides recommendations and hardening guidance directly related to the alert to help prevent similar issues from occurring again.

This section is specifically mentioned in Microsoft Defender for Cloud documentation:

“In the alert details page, select Take Action to view the remediation steps. Under Prevent future attacks , Defender for Cloud lists relevant security recommendati ons and actions that can mitigate or prevent the threat.”

Therefore, this solution meets the goal because selecting Take Action and expanding Prevent future attacks directly exposes the recommended remediation steps associated with that alert.

✅ Answer: A. Yes

In Micros oft Sentinel, to detect and alert on a specific behavior (such as enumeration of Azure Storage account keys ), two steps are needed:

Add a data connector — This step ensures that the relevant Azure Activity or Azure Storage logs are ingested into Sentinel. Without connecting the appropriate data source, Sentinel cannot analyze or detect that event type.

Create an analytics rule — Once the data is ingested, you define a rule that continuously runs a KQL query to detect specific activities (like key enumeratio n). The analytics rule evaluates the query on a schedule and triggers an immediate alert when conditions are met.

Microsoft’s Sentinel operations documentation confirms:

“To generate alerts, data must first be collected from relevant sources via connectors . Analytics rules then process this data to detect threats and trigger alerts or incidents.”

Livestream , hunting queries , and bookmarks are used for investigation or manual hunting but do not trigger automated alerts .

Hence, the correct combination is:

✅ B. Add a data connector

✅ C. Create an analytics rule

By creating an analytics rule, you can set up a query that will automatically run and alert you when the threat is detected, without having to manually run the query. This will help minimize administrative effort, as you can set up the rule once and it will run on a schedule, alerting you when the threat is detected. Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-rule