Exam SC-200 topic 3 question 33 discussion

Answer should be A & D Azure security center is not in the equation at all Any comments ?

Thinking logically, there question gives no mention of MCAS and there are only two connectors active, AD (not identity protection) and O365. AD connector can give only what happened not what's suspicious, so you would need Azure AD Identity protection connector for that so D is certain. C is a no go as there is no log upload etc setup nor we talking about custom or third party apps or Shadow IT of any kind. B should not be the case as we are talking about identity compromise and then actions followed in O365, not on-prem so Azure Security center is out. Question is not talking about Incident generation either but fusion rule. Coming to A, there are samples of analytics rules about Log4J activities and other type of suspicious patterns, but there is nothing sort of specific about covering everything, so nothing is there built-in but all logs are there to capture any kind of activities in O365 and their pattern, so a custom rule makes sense which would need to cover relevant scenarios My pick would be A & D

Answer: C and D You need to go to the content hub and activate the following connectors: - Defender for Cloud Apps [formerly Cloud App Security] - Entra ID Protection [ appears to be deprecated now, last update was 04/2024] There's only one Fusion rule in Sentinel and you can only enable/disable it. You can configure the sources of the signals Fusion detection is utilizing such as: Defender for Cloud Apps, Defender for Endpoint, Defender for Identity, Defender for Office365, and raw logs from other sources such as Palo Alto network. Having as much connectors enabled will better improve multistage attack detection for the Fusion rule https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-entra-id-protection

https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules This mentions needing all signals (see point 6). Furthermore, the questions says: "You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity". Sign-ins = Azure AD ID Protection. Office 365 activity = cloud apps. Finally, it says you need to use the Fusion rule. So the rule already exists and you don't need to be creating any more "rules" or templates. That is my final take after spending ages researching.

C - because you need anomalous Microsoft Office 365 activity D - because you need to detect multi-staged attacks that include suspicious sign-ins. This is identity related.

C & D makes sense to me to satisfy the requirements of the questions. However note: Microsoft has updated and changed their names since then and in the Microsoft Sentinel Connector page the new names are showing ( not the ones in the question). e.g. Azure AD (AAD) identity ---> Microsoft Entra ID Microsoft cloud app security ---> Microsoft defender for cloud Apps

I recently attended a Microsoft SC-200 class. The teacher suggested us that "preview" features are usually not included in the Exams/questions. As I can read here: https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules#configure-scheduled-analytics-rules-for-fusion-detections it seems that Fusion detections can utilize "scheduled analytics rules". However but, as mentioned in the disclaimer, it is stated that: "Fusion-based detection using analytics rule alerts is currently in PREVIEW". Therefore, I should go to: C and D

It also seems you need C & D https://learn.microsoft.com/en-us/azure/sentinel/fusion#fusion-for-emerging-threats

AB connector already setup

https://learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference#mass-file-deletion-following-suspicious-microsoft-entra-sign-in Mass file deletion following suspicious Microsoft Entra sign-in MITRE ATT&CK tactics: Initial Access, Impact MITRE ATT&CK techniques: Valid Account (T1078), Data Destruction (T1485) Data connector sources: Microsoft Defender for Cloud Apps, Microsoft Entra ID Protection

There is another question in this set that asks why Fusion is on but not generating alerts. The answer is because there are no data connectors enabled. We need to enable the correct data connectors to ensure the Fusion rules actually produces alerts. So a Fusion rule, whilsts is on by default, wont produce alerts if you are not pushing data to it. https://learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference

It's definitely C and D. This is a real-world scenario example of several events involving Azure AD and Office365. Reference: https://learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference#office-365-impersonation-following-suspicious-azure-ad-sign-in

To use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity, you should perform the following two actions: C. Create an Azure AD Identity Protection connector. This connector enables you to stream Azure AD Identity Protection alerts into Microsoft Sentinel and use them as part of the Fusion detection logic. D. Create a Microsoft Cloud App Security connector. This connector enables you to stream Microsoft Cloud App Security alerts into Microsoft Sentinel and use them as part of the Fusion detection logic

correct

https://techcommunity.microsoft.com/t5/itops-talk-blog/azure-sentinel-using-rule-templates/ba-p/2028427 https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection A: Based on the article above, A is a must. D: Based on the second article, it does look like the answer too. B: Only creates the inccident. C: Don't need cloud app at all as this is not considered a cloud app.

A. Create custom rule based on the Office 365 connector templates. The Office 365 connector templates include a number of pre-built queries that can be used to detect anomalous Microsoft Office 365 activity. You can create a custom rule based on these templates to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity. D. Create an Azure AD Identity Protection connector. The Azure AD Identity Protection connector provides information about suspicious sign-ins to Azure AD. This information can be used to improve the accuracy of the Fusion rule.

A. Create custom rule based on the Office 365 connector templates. no need to create a custom rule - Fusion rule - Advanced Multistage Attack Detection is not a part of office 365 connector templates, but uses it. B. Create a Microsoft incident creation rule based on Azure Security Center. not relevant C. Create a Microsoft Cloud App Security connector. currently we already have, AD, office 365 connectors, definitely might contribute (correlated searches) to monitor suspicious sign-in events form other clouds which use controso.com D. Create an Azure AD Identity Protection connector. this module has it's own user sign-in risk detection models, you definitely want to correlate with it's detections. https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules