Microsoft Updated SC-200 Exam Questions and Answers by lorelai

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel and collect Active Directory Domain Services (AD DS) security events, the integration relies on Microsoft Defender for Identity (MDI) . Defender for Identity monitors on-premises domain controllers and provides deep identity-based telemetry that Sentinel consumes for behavioral analytics and threat detection.

Here’s the correct sequence explained step-by-step:

Deploy Microsoft Defender for Identity on the AD DS domain

Defender for Identity sensors must be installed on each domain controller (or dedicated server) in your on-premises AD DS environment.

This step enables continuous monitoring of AD activities like logons, Kerberos authentications, and LDAP queries.

Microsoft documentation states:

“To collect and analyze AD DS activities for UEBA, deploy Microsoft Defender for Identity sensors in your domain controllers.”

Configure the Microsoft Defender for Identity connector in Microsoft Sentinel

In the Sentinel workspace (Sentinel1), go to Data connectors → Microsoft Defender for Identity → Connect .

This connector ingests identity-related alerts and telemetry from Defender for Identity into Sentinel’s Log Analytics workspace.

It allows Sentinel to correlate identity-based security data with other sources for threat detection and investigation.

Enable UEBA in Microsoft Sentinel

After integrating MDI, enable UEBA in Sentinel’s configuration settings.

UEBA uses identit y data (from MDI and Azure AD) and other logs to build behavioral baselines and detect anomalies such as lateral movement or privilege escalation.

Microsoft documentation notes:

“To start analyzing user and entity behaviors, enable UEBA after connecting id entity data sources such as Defender for Identity.”

Other actions listed (such as using legacy connectors or Windows Event Forwarding) are outdated or unnecessary when using MDI and Sentinel’s built-in connectors.

 First table: BehaviorAnalytics

 Joined table: AuditLogs

To detect when a user creates an unusually large number of Azure AD user accounts in Microsoft Sentine l, you should leverage UEBA signals from the BehaviorAnalytics table and enrich them with Azure AD audit data from AuditLogs . The BehaviorAnalytics table contains UEBA-derived insights (for example, the ActivityInsights flag and UsersInsights ) and normaliz ed activity fields such as ActionType (e.g., " Add user " ). Filtering BehaviorAnalytics for ActionType == " Add user " and ActivityInsights has " True " targets activities that the UEBA engine already assessed as anomalous, reducing noise and focusing on outlier s.

Then, join these anomalies to the AuditLogs table to pull authoritative Azure AD audit details (target object, initiator, correlation, and operation context). This combination aligns with Sentinel guidance: use BehaviorAnalytics for anomaly detection an d AuditLogs for the Azure AD operational record. Sorting by TimeGenerated and projecting user and insight fields completes the hunting query so analysts can review who triggered unusual “Add user” bursts and with what context.

Therefore, complete the query by selecting BehaviorAnalytics as the primary dataset and AuditLogs in the join(...) .

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cl oud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features , turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection pr erequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → C loud Discovery , configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps . In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned . Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., i mpossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” ar e C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security .

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the secu rity extension , Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft D efender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom inge stion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configur ation is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector