top of page
Search

Microsoft SC200 Certification - Microsoft Endpoint & eXtended Detection Response (EDR/XDR) Part 2D - Microsoft Defender for Cloud Apps (MDCA)

  • brencronin
  • 6 days ago
  • 4 min read

Microsoft Defender for Cloud Apps (MDA)


Microsoft Defender for Cloud Apps (MDA) primarily focuses on discovering and assessing the applications used within your environment. It includes a risk rating system that evaluates app risk levels, enabling you to establish policies that restrict or allow the use of specific applications.


MDA also monitors for suspicious app behavior. For instance, consider an app like AZCopy, a Linux-based tool for transferring data from Azure. If an administrator were to use this tool to transfer unusually large amounts of data, MDA would flag this activity as an anomaly and generate an alert.


MDA also monitors the suspicious ways the apps are accessed and with premium the has the following sign-in risk detections that were covered in the discussion on Microsoft Entre ID protections.


  • Anonymous IP Address Usage

  • Impossible Travel

  • Mass Access to Sensitive Files

  • New Country

  • Suspicious inbox forwarding

  • Suspicious inbox manipulation rules


Additionally, MDA provides file monitoring capabilities to detect malicious content within cloud-based systems such as SharePoint, enhancing your organization's overall security posture.


Microsoft Defender for Cloud Apps (MDCA) Review Questions


Question 1

You want to receive an alert when a user signs in from a location they do not normally use. Which MDCA activity should you monitor?


A. Activity from risky IP

B. Activity from infrequent country

C. Impossible travel

D. Unusual file download


Correct Answer: B

Explanation: Activity from infrequent country detects sign-ins from locations not commonly associated with the user.


Question 2

You have a remote office and want to enforce MFA for all remote users using Conditional Access. What must you include in your solution?


A. A user risk policy

B. An activity policy

C. A named location

D. A session policy


Correct Answer: C

Explanation: Named locations are required to scope Conditional Access policies based on trusted or untrusted locations.


Question 3

You created a custom MDCA activity detection policy based on your organization’s IP address range. You receive frequent Impossible Travel alerts, but 99% are legitimate corporate traffic. Which two actions should you take to reduce false positives?

(Select two.)


A. Disable the policy

B. Configure automatic data enrichment

C. Create an activity policy exclusion for the corporate IP range

D. Tag the app as unsanctioned


Correct Answers: B and C

Explanation: Automatic data enrichment improves IP context, and IP exclusions prevent alerts from known corporate locations.


Question 4

You need MDCA to alert when confidential files are shared. Which actions should you perform in the Defender for Cloud Apps portal?

(Select two.)


A. Enable file monitoring

B. Enable automatic scanning for Azure Information Protection (AIP) labels

C. Create an anomaly detection policy

D. Configure a session policy


Correct Answers: A and B

Explanation: File monitoring and AIP integration are required to inspect files and detect sensitive content.


Question 5

You need to create a custom policy that detects connections to Microsoft 365 apps originating from botnet networks. Which configuration should you use?


A. Activity policy filtered by user agent

B. Anomaly detection policy filtered by IP address tag

C. File policy filtered by app type

D. Session policy with Conditional Access


Correct Answer: B

Explanation: Anomaly detection policies support filtering based on IP tags such as botnet networks.


Question 6

You do not have Microsoft Defender for Endpoint (MDE) but want to remediate risk from an unsanctioned app discovered in MDCA. What steps should you take?

(Select all that apply.)


A. Select the app in MDCA

B. Tag the app as unsanctioned

C. Generate a block script

D. Run the script on the network appliance


Correct Answers: A, B, C, and D

Explanation: Without MDE, blocking is enforced by deploying the generated script on the source appliance.


Question 7

You need to create an MDCA policy that generates alerts based on a trainable classifier. Which type of policy should you create?


A. Activity policy

B. Session policy

C. File policy

D. Anomaly detection policy


Correct Answer: C

Explanation: File policies support trainable classifiers and content inspection for sensitive data.


Question 8

You need to be notified when a user signs in from a risky IP address, and the user must also be notified. Which policy type should you create?


A. File policy

B. Session policy

C. Activity policy

D. App discovery policy


Correct Answer: C

Explanation: Activity policies generate alerts and support user and admin notifications.


Question 9

You plan to use an Azure Logic App to remediate risks detected in Microsoft Defender for Cloud (Azure Security Center). How do you test the solution?

(Select two.)


A. Configure the Logic App trigger for Defender for Cloud recommendations

B. Manually trigger the Logic App from workflow automation

C. Enable continuous export

D. Configure diagnostic settings


Correct Answers: A and B

Explanation: Defender for Cloud triggers and workflow automation are used to test Logic App remediation.


Question 10

You need Defender for Cloud to generate alerts for suspicious sign-ins. Which three steps are required?

(Select three.)


A. Enable Azure Defender for the subscription

B. Deploy the ASC alert test executable

C. Rename the executable to asc_alerttest_662jfi039n

D. Run the executable with the appropriate arguments

E. Enable regulatory compliance


Correct Answers: A, C, and D

Explanation: Enabling Defender and executing the alert test validates alert generation.


Question 11

The SecOps team reports they are not receiving alert notification emails from Defender for Cloud. What should you configure?


A. Workflow automation

B. Pricing and settings

C. Continuous export

D. Security policies


Correct Answer: B

Explanation: Email notifications are configured under Pricing and settings in Defender for Cloud.


Question 12

You receive an alert in Defender for Cloud. To review remediation recommendations, you open Regulatory compliance and download a report. Does this meet the goal?


A. Yes

B. No


Correct Answer: B

Explanation: Regulatory compliance reports do not provide alert-specific remediation guidance.


Question 13

You receive an alert in Defender for Cloud. You select Take action and expand the Mitigate the threat section to view remediation steps. Does this meet the goal?


A. Yes

B. No


Correct Answer: A


Question 14


Which MDCA policy types should you use for the following requirements?

  • Detect unusual activity

  • Scan cloud apps for specific data

  • Search and log unusual occurrences across cloud apps


Correct Answer:

  • Detect unusual activity → Anomaly detection policy

  • Scan for specific data → File policy

  • Log and search cloud app usage → App discovery policy


References:


Defender for Cloud Apps:

Recent Posts

See All
Defender XDR - Part 5f - Unified Console

Rolling Aerts into Incidents - XDR A key strength of Microsoft Defender is its ability to correlate disparate alerts from various detection sources into a single, cohesive incident view. This approach

 
 
 

Comments

Post: Blog2_Post
  • Facebook
  • Twitter
  • LinkedIn

©2021 by croninity. Proudly created with Wix.com

bottom of page