Microsoft Updated SC-200 Exam Questions and Answers by boris

 Set the sensitivity level of the impossible travel alert policies to: Low

 To reduce the amount of false positive al erts: Add IP address ranges

In Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) , the impossible travel alert policy detects when a user signs in from two geographically distant locations within a timeframe that would make physical travel between them impossible. This is an important indicator of potential account compromise but can also generate false positives if not tuned properly.

Setting Sensitivity Level to Low: Microsoft Defender for Cloud Apps allows tuning of the Impossible travel policy sensitivity between Low , Medium , and High .

High sensitivity increases detection but also raises the likelihood of false positives.

Medium offers a balance.

Low reduces the number of alerts by limiting detections to only the most obvious and high-confidence anomalies. To meet operational requirements that minimize alert noise and false positives, the sensitivity should be set to Low .

Reducing False Positives — Add IP Address Ranges: According to Microsoft’s official Defender for Cloud Apps pol icy tuning guidance, the main way to reduce false positives in impossible travel alerts is by adding trusted IP address ranges (e.g., office networks, VPN exit nodes, proxy gateways) to the trusted IPs list . This ensures that logins from corporate or known network ranges are not flagged as anomalous, thereby significantly reducing false alerts.

Other options, like enabling or disabling leaked credential detection, are unrelated to the impossible travel anomaly and affect credential theft alerts instead.

The refore, the verified correct configuration is:

✅ Sensitivity level: Low

✅ Reduce false positives by: Add IP address ranges

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual mac hines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Query successful

This is a role-based access control (RBAC) question using the principle of least privilege.

The table of users and roles is:

Name

Role

User1

Security administrator

User2

Security reader

User3

Contributor

Export to Sheets

Action: This is a management/configuration task at the subscription level, often related to enabling Defender plans and installing extensions on VMs.

Required Permissions: The ability to modify security policies and settings in Microsoft Defender for Cloud and the permission to install extensions on VMs.

The Security Administrato r role is explicitly designed for this, granting permissions to manage the security features, policies, and program enrollment (like enabling Defender plans).

The Contributor role can also perform this by installing the necessary agents and extensions, but it grants broad access to manage all resources, violating the principle of least privilege for a purely security-focused task.

Least Privilege User: User1 (Security administrator)

A ction: This task has two parts:

Review security recommendations: This is a read-only action. The Security Reader role is sufficient.

Enable server vulnerability scans: This means configuring a security feature (Vulnerability Assessment), which requires wri te access to the security configuration or the resource itself.

The Security Reader role cannot perform the " enable " action.

The Security Administrator role has the permissions required to modify security policy and configuration to enable scanning features.

The Contributor role can also do this, but again, the Security Administrator role is the least privileged for a security-specific configuration change.

Least Privilege User: Since the entire task includes an " enable " (write) action, we must use the role that can perform both read and write security actions. User1 (Security administrator) is the appropriate choice.

Task Analysis and Role Mapping 1. Enable Microsoft Defender for Servers on virtual machines. 2. Review security recommendations and enable server vulnerability scans.

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Export logs to: ✅ Azure event hub

Configure streaming by: ✅ Configuring continuous export in Defender for Cloud for each subscription

In Microsoft Defender for Cloud , if you need to stream security alerts and recommendations to an external SIEM or syslog server , the supported approach is to export data to an Azure Event Hub , which ac ts as a streaming pipeline. The syslog server or SIEM solution can then pull data from the Event Hub in real time using connectors or custom listeners.

The configuration method for sending Defender for Cloud data to an Event Hub is known as continuous expo rt . According to Microsoft’s official Defender for Cloud documentation, continuous export lets you automatically stream alerts and security recommendations to Event Hubs or Log Analytics workspaces . However, when your target is a syslog server , Event Hub i s required because it supports continuous streaming outside Azure.

To minimize administrative effort across multiple subscriptions (100 in this case) , you can use Azure Policy or a script to apply continuous export settings per subscription , but the featur e must still be enabled individually for each subscription — hence the correct configuration step is:

“Configuring continuous export in Defender for Cloud for each subscription.”

Why not other options:

Log Analytics workspace: used for querying within Azure, not for streaming to external syslog servers.

Azure Storage account: suitable for archival, not streaming.

Modifying diagnostic settings of the tenant: applies only to Azure AD logs, not Defender for Cloud data.

XDR Custom Detection Rules Documentation):

In Microsoft Defender XDR, custom detection rules are scheduled KQL queries that evaluate telemetry on a recurring schedule, using a lookback (loopback) period to determine how much historical data to analyze during each run.

The loopback period determines the time window over which data i s evaluated (e.g., 12 hours, 48 hours). To change this period, administrators modify the rule’s schedule configuration — specifically the frequency or recurrence settings in the custom detection rule editor. The KQL query (including summarize or where oper ators) defines the logic but not the temporal scope of data evaluation.

Therefore, extending the loopback from 12 hours to 48 hours requires adjusting the frequency (schedule) configuration of the rule, not the query itself.

✅ Correct Answer: A. the freque ncy