Practice Free SC-200 Exam Online Questions

Explanation:

For Conditional Access investigations in Microsoft Sentinel, the data source depends on the control plane used. When policies are downloaded via PowerShell, the cmdlets call the Microsoft Graph (e.g., Get-MgIdentityConditionalAccessPolicy). Those Graph requests are captured by the Microsoft Graph Activity Logs connector and land in the MicrosoftGraphActivityLogs table. This table records the app identity (such as PowerShell/Graph SDK), the API path (like /identity/conditionalAccess/policies), verb (GET), and result, which is ideal for spotting bulk reads/exports of policy definitions.

When policies are updated in the Microsoft Entra admin center, two streams provide visibility. First, directory auditing writes change events (create/update/delete of Conditional Access policies) to Microsoft Entra Audit logs, surfaced in Sentinel as the AuditLogs table, including the actor, target policy, operation (Update policy), and result. Second, the Entra admin center itself is a first-party application that performs the update by invoking Microsoft Graph; those API calls are also recorded in MicrosoftGraphActivityLogs (with verb PATCH/POST and the policy resource path).

Therefore, to cover both perspectives―the authoritative audit record and the underlying API activity―you should query AuditLogs and MicrosoftGraphActivityLogs for updates, and MicrosoftGraphActivityLogs for downloads executed through PowerShell.

Explanation:

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts). Microsoft’s official Defender XDR and Sentinel integration guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deploying Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel, to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector. This connector collects Event ID 4723 (password change), 4724 (password reset), and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA). Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to detect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects against brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring password reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector