SC-200 Practice Questions

In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation is used to run Logic Apps in response to recommendations or alerts. Because your goal is to automatically remediate security risks (which are surfaced as recommendations—secure score items like missing configurations or hardening tasks), the Logic App should be wired to the Recommendation trigger. The workflow automation rule monitors recommendation events and calls your Logic App with the recommendation payload, enabling parameterized remediation. To test the Logic App from within Defender for Cloud, you use the Recommendations blade: open any applicable recommendation and choose the action to run the associated Logic App. This directly invokes LA1 with the correct context (affected resource, subscription, control ID), allowing you to validate inputs, connections, and remediation steps on demand. Options like Automation rules (alerts) or Workflow automation page “Run” aren’t suited for validating recommendation-driven remediation scenarios because they either act on alerts or don’t pass the full recommendation context needed for remediation. Therefore, select the Recommendation trigger and test execution from Recommendations.

In Microsoft 365 Defender’s Advanced Hunting (Kusto Query Language - KQL), investigators use the DeviceLogonEvents table to search for authentication attempts and filter failed logons. To detect failed sign-ins from specific devices, you begin by applying a where clause that filters only the relevant logon failures and the specific device names you want to investigate.

The correct syntax and logical order—based on Microsoft Security Operations (SecOps) and Microsoft 365 Defender hunting guide—is to first filter (where) the ActionType to “LogonFailed,” then narrow down the dataset to the target devices (DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop")). This ensures that only failed authentication attempts from those three machines are included.

After filtering, the summarize operator is used to group the data by DeviceName and LogonType, counting how many failures occurred per device and logon type. This aggregation step follows Microsoft’s recommended practice for incident hunting, allowing analysts to quickly assess which devices are generating unusual authentication failure volumes.

Finally, the project statement selects only the LogonFailures output, simplifying the results for reporting or alerting purposes.

This query structure aligns exactly with Microsoft 365 Defender Advanced Hunting documentation for detecting failed logins on specific endpoints while maintaining query efficiency and clarity, minimizing administrative overhead during investigations

To correlate malicious email attachments with endpoints, Microsoft Defender data schemas expose attachment metadata in EmailAttachmentInfo (including the SHA256 hash) and endpoint file activity in DeviceFileEvents (which also records SHA256 for observed files). The recommended investigation pattern is: (1) filter email telemetry to the suspected sender and keep only attachments with a populated hash; (2) join that result with endpoint file events on the SHA256 hash to find devices where an identical file (by cryptographic hash) was seen. In KQL, isnotempty(SHA256) ensures you only pass attachments with a valid hash to the join, and join ... on SHA256 performs an exact-match correlation across datasets. This method aligns with Defender’s guidance to use hash-based correlation as the most reliable way to match artifacts across different security workloads (email vs. endpoint), since filenames and paths can change, but a cryptographic hash uniquely identifies file content. The final project selects operational fields for response—timestamps, file name and hash, device identifiers/names, message IDs, and sender/recipient—so the SOC can quickly pivot to the impacted devices and the original email that delivered the file.

| From the Syslog configuration, remove the facilities that send CEF messages. | CEF1 | | From the Log Analytics agent, disable Syslog synchronization. | Server2 |

The goal is to eliminate duplicate events in the Azure Sentinel workspace (SW1). Duplication typically occurs when the same log source is sending data to Azure Sentinel via multiple collection methods.

Analysis of the Environment

SW1 is the Azure Sentinel (now Microsoft Sentinel) workspace, which is the final destination for all logs.

CEF1 is a Linux server configured as a log forwarder (often called a CEF collector) for Microsoft Sentinel. It uses the Log Analytics agent (or the newer Azure Monitor Agent) to ingest logs and is specifically configured to forward Common Event Format (CEF) logs to SW1.

Server1 sends CEF logs to CEF1. This is the intended, single collection path for Server1's CEF logs: Server1 CEF1 SW1. No duplication is inherent here.

Server2 sends Syslog logs to CEF1. This path is: Server2 CEF1 SW1.

Since CEF1 is running the Log Analytics agent (required to forward logs to SW1) and is configured to collect Syslog data (to receive Server2's logs), the Log Analytics agent on CEF1 will also attempt to ingest the Syslog messages it receives into SW1.

However, the Log Analytics agent itself can also be used to collect Syslog/CEF logs directly from the source server.

Addressing Duplication

Duplication is most likely to occur if a server is sending the same logs to a forwarder AND also has the Log Analytics agent configured to send the same logs directly to SW1.

Action 1: From the Syslog configuration, remove the facilities that send CEF messages.

Resource: CEF1

Reasoning: CEF1 is a Linux server running the Log Analytics agent and is acting as the collector. Server1 sends CEF logs to CEF1. These CEF logs are transmitted using Syslog (specifically, a custom Syslog format). If the Log Analytics agent on CEF1 is configured to collect all Syslog facilities, it will ingest the raw CEF Syslog messages it receives from Server1 AND also ingest the parsed CEF messages via its custom forwarding logic. To prevent the Syslog collector on CEF1 from ingesting the raw CEF messages that it is supposed to be forwarding, you must modify its Syslog configuration (e.g., in /etc/rsyslog.conf or equivalent) to ignore the facilities/log files used by the incoming CEF messages from Server1. The primary purpose of CEF1 is to receive and forward CEF, not to have its Log Analytics agent ingest the raw Syslog that transports the CEF payload.

Action 2: From the Log Analytics agent, disable Syslog synchronization.

Resource: Server2

Reasoning: Server2 is configured to send Syslog logs to CEF1 (Server2 CEF1 SW1). Since Server2 is a Linux server, it may also have the Log Analytics agent installed for other monitoring purposes. If the Log Analytics agent on Server2 is installed, it is configured by default to collect Syslog logs directly and send them to SW1 (Server2 SW1). This creates a duplicate path for the Syslog data:

Path A (Intended): Server2 Syslog CEF1 SW1

Path B (Duplication): Server2 Log Analytics Agent Syslog SW1

According to Microsoft Sentinel documentation on log ingestion, when using a dedicated forwarder (like CEF1) for Syslog/CEF, you must disable the Syslog collection on the Log Analytics agent of the source machine (Server2) to prevent this duplication. This is typically done by disabling Syslog synchronization in the Log Analytics agent configuration or removing the Syslog entry from the agent's data sources.

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace. Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-minimization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for comprehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increases data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities, the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

✅ Log Analytics workspace to use: LA1

✅ Windows security events to collect: Common

According to Microsoft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from advanced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Defender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in the portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️⃣ Provide domain administrator credentials to the on-premises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious activities.

4️⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a D

C.  

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while maintaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel, Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension, Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector. Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To restrict cloud apps running on CLIENT1 (a Windows 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery. This integration enables the blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation, Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shadow IT. The relevant steps include:

1️⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integration

Network protection (in block mode)

Custom network indicators (if applicable)These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️⃣ Configure Cloud Discovery settings in Microsoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an app is marked as unsanctioned, Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telemetry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”