Microsoft Certified: Security Operations Analyst Associate SC-200 Updated Exam

In Microsoft Defender for Identity (MDI) , data collected from Active Directory Domain Serv ices (AD DS) is stored in Microsoft 365 Defender advanced hunting tables under the Identity schema.

When investigating LDAP or authentication activities related to domain controllers, the correct table is IdentityLogonEvents .

The IdentityLogonEvents table contains information about all logons detected by Defender for Identity sensors on domain controllers — including LDAP binds , Kerberos , NTLM , and other authentication types.

You can identify LDAP simple binds using a query such as:

IdentityLogonEvents

| wh ere Protocol == " LDAP "

| where AuthenticationPackage == " SimpleBind "

Other options explained:

AADServicePrincipalRiskEvents – Contains Entra (Azure AD) service principal risk detections, not AD DS activity.

AADDomainServicesAccountLogon – Used for Azure AD Domain Services (AAD DS), not traditional on-prem AD DS.

SigninLogs – Contains Entra (Azure AD) sign-in data, not LDAP or on-prem authentication.

✅ Correct table: IdentityLogonEvents

The Defender for Cloud requirement states:

“The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory compliance initiatives.”

According t o Microsoft Defender for Cloud’s RBAC documentation, the Security Assessment Contributor role provides permissions to:

Enable and configure Defender plans,

Manage security policies and initiatives,

View and edit recommendations and compliance results.

This role gives enough permissions to perform Defender configuration tasks but follows the principle of least privilege , unlike broader roles like Owner or Contributor, which grant excessive rights.

✅ Answer for Question 9: C. Security Assessment Contributor

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR) . With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel sch eduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1’s Security log via AMA is to create a DCR , then assign it to Server1 and the Sentinel workspace.