Back to Microsoft Security Operations Analyst Associate (SC-200)

Configure protections and detections

Configure protections in Microsoft Defender security technologies and set up detections in Microsoft Defender XDR and Microsoft Sentinel.

Encompasses configuring protections in Microsoft Defender security technologies including policies for Defender for Cloud Apps, Defender for Office 365, Defender for Endpoint with attack surface reduction (ASR) rules, and cloud workload protections in Defender for Cloud. Covers configuring detections in Microsoft Defender XDR including custom detection rules, alert management, tuning, suppression, correlation, and deception rules. Also includes configuring detections in Microsoft Sentinel through entity classification, analytics rules management, ASIM parsers for data querying, and behavioral analytics implementation.
5 minutes 5 Questions

Configuring protections and detections is a critical responsibility for Microsoft Security Operations Analysts. This process involves setting up and fine-tuning security controls across Microsoft's security ecosystem to identify threats and safeguard organizational assets. In Microsoft Defender fo…

Concepts covered: Configure policies for Microsoft Defender for Cloud Apps, Configure policies for Microsoft Defender for Office 365, Configure Defender for Endpoint security policies and ASR rules, Configure cloud workload protections in Defender for Cloud, Configure and manage custom detection rules, Manage alerts including tuning, suppression, and correlation, Configure deception rules in Microsoft Defender XDR, Classify and analyze data using entities, Configure and manage analytics rules in Sentinel, Query Microsoft Sentinel data using ASIM parsers, Implement behavioral analytics in Sentinel

Test mode:
Start practice test
SC-200 - Configure protections and detections Example Questions

Test your knowledge of Configure protections and detections

Question 1

A Security Operations Analyst at Tailspin Toys is reviewing an alert where an unusual number of Azure Key Vault access attempts occurred during a maintenance window. The logs show that managed identity 'mi-webapp-inventory-prod' associated with Azure Web App 'app-inventory-fe-westus' made 237 secret retrieval calls to Key Vault 'kv-tailspin-secrets-prod' between 23:45 and 01:20, accessing secrets named 'SQLConnectionString', 'APIKey-PaymentGateway', and 'CertificatePassword-SSL'. Normal patterns show this managed identity averages 15-20 secret retrievals per hour during business hours. The analyst must classify these entities to determine whether this activity represents a compromised managed identity, legitimate maintenance automation with expanded scope, or a misconfigured deployment script. To establish the context and identify potential credential harvesting behavior, which entity attribute correlation provides the most comprehensive insight into the deviation from established access patterns?

Correct Answer: Analyzing the temporal access patterns of the managed identity against the specific secret names retrieved, combined with the originating Azure resource metadata to identify changes in deployment configuration or resource association

In this scenario, a Security Operations Analyst needs to determine whether the unusual Key Vault access pattern represents a security incident or legitimate activity. The most comprehensive approach is to analyze the temporal access patterns of the managed identity against the specific secret names retrieved, combined with the originating Azure resource metadata to identify changes in deployment configuration or resource association.

This answer is correct because it addresses multiple critical dimensions of the investigation:

  1. Temporal Analysis: By examining when the 237 access attempts occurred (23:45 to 01:20) versus normal business hours patterns (15-20 per hour), the analyst can identify the significant deviation. This timeframe analysis is crucial for understanding if this aligns with scheduled maintenance activities.

  2. Secret Name Correlation: The specific secrets accessed (SQLConnectionString, APIKey-PaymentGateway, CertificatePassword-SSL) provide context about what credentials were targeted. This helps distinguish between a broad credential harvesting attack versus legitimate application needs during deployment or configuration updates.

  3. Resource Metadata Analysis: Examining the originating Azure resource (app-inventory-fe-westus) and its configuration changes helps determine if the Web App underwent deployment, scaling, or configuration changes that would legitimately require increased secret retrievals.

This combination provides the most comprehensive view because it correlates behavior (access patterns), targets (specific secrets), and context (resource changes) - the three essential elements for determining if this represents compromised credentials, legitimate automation, or misconfiguration.

The other approaches have limitations:

Examining role assignments and permission elevation focuses on authorization changes but doesn't explain why the access volume increased during this specific timeframe or whether the pattern aligns with legitimate operational needs.

Correlating deployment history with certificate-based authentication and scaling metrics makes assumptions about the authentication method and focuses too heavily on traffic-driven scaling, which may not be relevant during a maintenance window when traffic is typically lower.

Mapping network source locations and secret version history provides valuable security context but doesn't directly address the core question of why the access volume increased so dramatically during this specific period, making it less effective for distinguishing between the three potential scenarios presented.

Question 2

Riverstone Pharmaceuticals has been running Microsoft Sentinel with UEBA enabled for 105 days across their research facility of 4,200 employees. The security team has observed concerning patterns where certain laboratory technicians show elevated investigation priority scores in the BehaviorAnalytics table, with anomaly indicators suggesting unusual data access behaviors. The SOC manager wants to create an automated response workflow that takes specific actions when users reach critical behavioral risk thresholds. Specifically, when any user entity accumulates an investigation priority score of 8.5 or higher AND exhibits at least four distinct anomaly types within a 12-hour window, the system should automatically: disable the user's access to sensitive research databases, notify the user's manager via email, create a high-severity incident with enriched entity context, and post details to the security Teams channel. The solution must evaluate the behavioral analytics data continuously and execute these coordinated response actions as a unified workflow. What should the security analyst implement to achieve this automated behavioral risk-based response capability?

Correct Answer: Create an analytics rule that queries the BehaviorAnalytics table for entities meeting the specified thresholds, then configure automation rules to trigger a playbook that executes the remediation actions and notification steps

The correct approach for this scenario involves creating an analytics rule that queries the BehaviorAnalytics table for entities meeting the specified thresholds, then configuring automation rules to trigger a playbook that executes the remediation actions and notification steps.

This is the best solution because:

  1. BehaviorAnalytics Table: This is the specific table in Microsoft Sentinel where UEBA data is stored, including investigation priority scores and anomaly indicators. This table contains the exact metrics mentioned in the scenario (investigation priority scores of 8.5 or higher and distinct anomaly types).

  2. Analytics Rule: Creating an analytics rule allows you to define the specific detection logic (investigation priority >= 8.5 AND >= 4 distinct anomaly types within 12 hours) that continuously evaluates the UEBA data.

  3. Automation Rules + Playbook: This is the standard Microsoft Sentinel workflow for automated response. Automation rules trigger when incidents are created by analytics rules, and they can invoke playbooks (Logic Apps) to execute the coordinated response actions (disable access, send notifications, enrich incidents, post to Teams).

  4. Unified Workflow: This architecture provides the exact unified workflow requested, where detection triggers automated remediation as a cohesive process.

Why the other options are incorrect:

The second option incorrectly focuses on IdentityInfo and SecurityAlert tables rather than the BehaviorAnalytics table where UEBA data resides. These tables don't contain the investigation priority scores or anomaly type information needed for this specific behavioral analytics scenario.

The third option suggests using AuditLogs and SigninLogs with Azure Functions to calculate custom risk scores. This is unnecessary complexity since Microsoft Sentinel UEBA already calculates investigation priority scores and identifies anomalies in the BehaviorAnalytics table. Creating custom risk scoring would duplicate existing UEBA functionality.

The fourth option mentions fusion detection rules, which are designed for advanced multi-stage attack detection by correlating alerts from multiple sources. This scenario requires straightforward behavioral threshold detection from UEBA data, not multi-stage attack correlation. Additionally, OfficeActivity and AzureActivity tables don't contain the UEBA metrics needed for this use case.

Question 3

Your organization uses Microsoft 365 and various third-party SaaS applications. The compliance team has identified that employees are uploading sensitive financial documents containing credit card numbers to personal cloud storage services during business hours. As the Security Operations Analyst, you need to prevent this data exfiltration while maintaining productivity. The compliance officer specifically requires real-time blocking of file uploads containing payment card information to unsanctioned cloud storage apps, with the ability to provide educational messages to users when their actions are blocked. Which Microsoft Defender for Cloud Apps policy configuration would best address this requirement?

Correct Answer: Create a Session policy with real-time monitoring enabled, configure the Activity source as 'Files matching all of the following', set Content inspection method to 'Data Classification Service' with sensitive info type for credit card numbers, and define Control method as 'Block' with custom blocking message for user notification

The correct solution is to create a Session policy with real-time monitoring enabled, configure the Activity source as 'Files matching all of the following', set Content inspection method to 'Data Classification Service' with sensitive info type for credit card numbers, and define Control method as 'Block' with custom blocking message for user notification.

This is the best answer because:

  1. Real-time blocking requirement: Session policies in Microsoft Defender for Cloud Apps are specifically designed for real-time monitoring and control of user sessions. They can intercept and block actions as they happen, which is essential for preventing data exfiltration in real-time.

  2. Content inspection capability: The Data Classification Service can inspect file contents in real-time to detect sensitive information types, including credit card numbers, during upload operations.

  3. Immediate blocking with user education: Session policies allow you to block the action immediately and display a custom blocking message to users, fulfilling the requirement for educational notifications when actions are blocked.

  4. Session control integration: This approach works with Conditional Access App Control, which enables real-time session monitoring and control without requiring API connections to unsanctioned apps.

Why the other options are less suitable:

The File policy approach focuses on post-upload governance actions like quarantine, which means files are inspected after they've already been uploaded to the cloud service. This doesn't meet the real-time blocking requirement and allows sensitive data to leave the organization's control, even temporarily.

The Access policy solution is designed to control whether users can access applications at all, not to monitor and control specific activities within sessions. While it mentions Conditional Access App Control integration, Access policies are primarily about allowing or blocking access to entire applications rather than controlling specific file operations in real-time.

The Activity policy approach generates alerts and can trigger governance actions after detecting suspicious activities, but it's not designed for real-time blocking of user actions. Activity policies work on a detection-and-response model rather than prevention, and suspending user accounts is an overly aggressive response that would significantly impact productivity. The requirement specifically calls for blocking the specific action (file upload) while maintaining productivity, not blocking user access entirely.

More Configure protections and detections questions
432 questions (total)
Start 100 question test