For Linux alert simulation in Defender for Cloud, you first copy /bin/echo to a test file named asc_alerttest_662jfi039n, then execute it with the parameters testing eicar pipe. This sequence generates a benign test alert that validates the Defender for Cloud pipeline. The options using ./alerttest are incorrect file names and won’t trigger the simulation.QUESTION NO: 8

You create an Azure subscription named sub1.

In sub1, you create a Log Analytics workspace named workspace1.

You enable Azure Security Center and configure Security Center to use workspace1.

You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1.

What should you do?

A.In workspace1, install a solution.

B.In sub1, register a provider.

C.From Security Center, create a Workflow automation.

D.In workspace1, create a workbook.

Answer: A

When configuring Microsoft Defender for Cloud (formerly Azure Security Center) to use a specific Log Analytics workspace, you must ensure the Security solution is installed in that workspace so that security events from VMs reporting to the workspace are processed by Defender for Cloud. Registering a provider, creating workflow automations, or creating a workbook do not enable data processing for recommendations/alerts; installing the solution (now surfaced as the Defender for Cloud agent/solution enablement) does.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts). Microsoft’s official Defender XDR and Sentinel integration guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deploying Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel, to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector. This connector collects Event ID 4723 (password change), 4724 (password reset), and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA). Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to detect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects against brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring password reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1, browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

Box 1: AzureActivity

The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

Box 2: autocluster()

Example: description: |

'Listing of storage keys is an interesting operation in Azure which might expose additional

secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this

type, it would be interesting to see if the account performing this activity or the source IP address from

which it is being done is anomalous.

The query below generates known clusters of ip address per caller, notice that users which only had single

operations do not appear in this list as we cannot learn from it their normal activity (only based on a single

event). The activities for listing storage account keys is correlated with this learned

clusters of expected activities and activity which is not expected is returned.'

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"

| where ActivityStatusValue == "Succeeded"

| join kind= inner (

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"

| where ActivityStatusValue == "Succeeded"

| project ExpectedIpAddress=CallerIpAddress, Caller

| evaluate autocluster()

) on Caller

| where CallerIpAddress != ExpectedIpAddress

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress

| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

Microsoft Defender for DevOps integrates security analysis directly into CI/CD pipelines such as Azure Pipelines, GitHub Actions, and others. To enable secret scanning (and other code security checks) during the execution of a pipeline in Azure DevOps, the correct integration is through the Microsoft Security DevOps (MSDO) extension — not the older Microsoft Security Code Analysis (MSCA) extension.

Microsoft documentation (Defender for Cloud → Defender for DevOps integration guide) clearly states that:

“To enable scanning and policy enforcement for Azure DevOps pipelines, install the Microsoft Security DevOps extension from the Azure DevOps Marketplace. This extension integrates with Microsoft Defender for Cloud to perform security scans, including secret detection, infrastructure-as-code analysis, and dependency vulnerability checks.”

The older Microsoft Security Code Analysis (MSCA) extension has been superseded by Microsoft Security DevOps, which provides broader coverage and native Defender for Cloud integration.

After installing the extension, you must modify the pipeline definition (YAML) to add MSDO scanning steps.

The syntax typically looks like this:

steps:

- task: MicrosoftSecurityDevOps@1

displayName: 'Run Microsoft Security DevOps'

This step runs all configured scans (including secret scanning) automatically each time the pipeline runs. You add it under the steps section because it represents a specific task in the pipeline workflow.

✅ Final Answers:

Install: The Microsoft Security DevOps extension

Add: Steps

For Conditional Access investigations in Microsoft Sentinel, the data source depends on the control plane used. When policies are downloaded via PowerShell, the cmdlets call the Microsoft Graph (e.g., Get-MgIdentityConditionalAccessPolicy). Those Graph requests are captured by the Microsoft Graph Activity Logs connector and land in the MicrosoftGraphActivityLogs table. This table records the app identity (such as PowerShell/Graph SDK), the API path (like /identity/conditionalAccess/policies), verb (GET), and result, which is ideal for spotting bulk reads/exports of policy definitions.

When policies are updated in the Microsoft Entra admin center, two streams provide visibility. First, directory auditing writes change events (create/update/delete of Conditional Access policies) to Microsoft Entra Audit logs, surfaced in Sentinel as the AuditLogs table, including the actor, target policy, operation (Update policy), and result. Second, the Entra admin center itself is a first-party application that performs the update by invoking Microsoft Graph; those API calls are also recorded in MicrosoftGraphActivityLogs (with verb PATCH/POST and the policy resource path).

Therefore, to cover both perspectives—the authoritative audit record and the underlying API activity—you should query AuditLogs and MicrosoftGraphActivityLogs for updates, and MicrosoftGraphActivityLogs for downloads executed through PowerShell.

To run a PowerShell script when a suspicious-IP access alert is raised for Storage, use Workflow automation in Defender for Cloud to trigger a Logic App whenever a matching security alert occurs. The Logic App should use the Azure Security Center (Defender for Cloud) alert trigger, and from there you can call an Automation Runbook (PowerShell) or another action to execute your script. A manual or HTTP trigger isn’t needed because the flow must start automatically from the security alert, and an AAD app registration is not required for the basic alert-triggered flow.

In Microsoft Sentinel’s Advanced Security Information Model (ASIM), DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser. To minimize overhead, ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recommended pattern is:

Im_Dns(pack="InfobloxNIOS")

| where DnsResponseCodeName == "NXDOMAIN"

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXDOMAIN responses for counting DNS request failures from Infoblox1.

Automation rules in Microsoft Sentinel cannot invoke playbooks that start with the entity trigger; the recommended and supported pattern is to use an incident-triggered playbook because an incident object contains the alerts and the incident’s entities. When an automation rule runs a playbook using the When a response to an Microsoft Sentinel incident is triggered (incident trigger), the playbook receives the full incident payload, including the entities array. That incident payload is what allows the logic app to enumerate entities and call the Entities - Get Hosts action for each entity found in the incident.

To ensure the playbook gets the entities and their detailed data needed by the Entities - Get Hosts action, you must configure the automation rule to pass the full incident properties (not just minimal alert fields). In the Run playbook action parameters, choose the option that provides the Alert + Full incident properties (i.e., the full incident object including entities). This guarantees the playbook has the entity objects to feed into the Entities - Get Hosts connector action so it can resolve the hosts related to those entities.

Therefore: use an incident-triggered playbook and pass Alert and FullIncidentProperties so the playbook can call Entities - Get Hosts successfully.

For SQL Server on Azure VMs (VM1), Defender for Cloud’s Advanced Threat Protection and Vulnerability Assessment for SQL “on machines” are enabled by registering the instance as a SQL virtual machine using the SQL IaaS Agent extension. This single Azure VM extension onboards the SQL workload, exposes SQL VM resource management, and lights up Defender for SQL (ATP + VA) with minimal admin effort—no separate agents are required on Azure VMs beyond this extension for these features.

For on-premises/Arc servers (Server1), the machine is already Arc-enabled. To protect SQL instances with Defender for Cloud and to surface vulnerability assessment and threat protection signals, you deploy the Azure Arc SQL Server extension (delivered as an Arc “virtual machine extension”) to register the instance with Azure. In addition, Arc scenarios use the Azure Monitor Agent (AMA) for data collection and security signal ingestion in Defender for Cloud (the legacy Log Analytics agent is not recommended). This combination satisfies ATP/VA requirements while keeping operations simple and consistent with current agent guidance.

Therefore:

VM1: only the Azure VM extension (SQL IaaS Agent extension).

Server1: AMA + an Azure (Arc) extension (Arc SQL Server extension).

Microsoft Defender for Cloud (formerly Azure Security Center) ingests GCP security signals via a native GCP connector that reads findings from Google Cloud Security Command Center (SCC). The documented onboarding flow begins in GCP: first, enable the SCC API so the service can be invoked by tooling and service accounts. Next, configure SCC at the organization/project level (turn it on and set scope), then enable Security Health Analytics (SHA)—the built-in SCC detector that continuously evaluates resources and emits misconfiguration and vulnerability findings Defender for Cloud relies on. After telemetry is being produced, create a dedicated service account with the required reader roles and generate a private key (JSON); Defender for Cloud uses this credential to securely pull SCC findings. Finally, in Defender for Cloud, add a GCP cloud connector and provide the service account key to establish the connection and start ingestion. This sequence minimizes errors: APIs and detections are active before credentials are created, and the connector is added only after data is available, ensuring immediate validation and lowest administrative overhead.

From Vulnerability Management, select Weaknesses, and search for and select the CVE.

Select Go to related security recommendations.

Create the remediation request.

According to Microsoft Defender Vulnerability Management documentation, the correct workflow for responding to a new CVE in your organization—especially when there is an active exploit—is to begin your investigation within the Vulnerability Management section of the Microsoft Defender portal.

From Vulnerability Management, select Weaknesses –Microsoft explains that all known CVEs are listed under Weaknesses in the Defender portal. You search by CVE ID (for example, CVE-2024-xxxx) to view its details, exploitability data, and the devices affected.

Select Go to related security recommendations –After opening the CVE details, the portal shows associated security recommendations that describe how to remediate the issue (such as updating software, removing an at-risk version, or applying a patch). Selecting Go to related security recommendations links the CVE directly to actionable remediation guidance.

Create the remediation request –Finally, Microsoft Defender for Endpoint allows security teams to formally request remediation from IT administrators or system owners. You can create a remediation request directly from the recommendation page, assigning it to the responsible group and specifying a due date.

This sequence aligns with Microsoft’s recommended remediation workflow for CVEs as described in Defender Vulnerability Management documentation and ensures that remediation actions are tracked and executed efficiently through the portal.

✅ Therefore, the correct order is:

(1) From Vulnerability Management → Weaknesses → search CVE → (2) Go to related security recommendations → (3) Create remediation request.

Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Query successful

This is a role-based access control (RBAC) question using the principle of least privilege.

The table of users and roles is:

Name

Role

User1

Security administrator

User2

Security reader

User3

Contributor

Export to Sheets

Action: This is a management/configuration task at the subscription level, often related to enabling Defender plans and installing extensions on VMs.

Required Permissions: The ability to modify security policies and settings in Microsoft Defender for Cloud and the permission to install extensions on VMs.

The Security Administrator role is explicitly designed for this, granting permissions to manage the security features, policies, and program enrollment (like enabling Defender plans).

The Contributor role can also perform this by installing the necessary agents and extensions, but it grants broad access to manage all resources, violating the principle of least privilege for a purely security-focused task.

Least Privilege User: User1 (Security administrator)

Action: This task has two parts:

Review security recommendations: This is a read-only action. The Security Reader role is sufficient.

Enable server vulnerability scans: This means configuring a security feature (Vulnerability Assessment), which requires write access to the security configuration or the resource itself.

The Security Reader role cannot perform the "enable" action.

The Security Administrator role has the permissions required to modify security policy and configuration to enable scanning features.

The Contributor role can also do this, but again, the Security Administrator role is the least privileged for a security-specific configuration change.

Least Privilege User: Since the entire task includes an "enable" (write) action, we must use the role that can perform both read and write security actions. User1 (Security administrator) is the appropriate choice.

Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatchlist('<watchlist-name>'), which returns a table with standard columns (including SearchKey) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist('breakglass_account')) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requirement to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimizing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist, and join UserPrincipalName to the watchlist’s SearchKey.

 Table: DeviceFileEvents

 Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents, DeviceProcessEvents, and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents. This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typical timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters to show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcessEvents focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall settings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise is suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration changes at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats, Microsoft recommends hardening Key Vault firewall and networking: restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blocks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace. To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace('Fabrikam-WS').SecurityEvent, workspace('Contoso-WS').SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrikam needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

To restrict cloud apps running on CLIENT1 (a Windows 10 endpoint) in compliance with Microsoft Defender for Endpoint (MDE) requirements, you must integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps (formerly Cloud App Security) using Cloud Discovery. This integration enables the blocking of unsanctioned cloud apps through the endpoint’s network protection capabilities.

According to Microsoft Defender for Cloud Apps documentation, Cloud Discovery uses traffic data from Defender for Endpoint to identify and manage the use of shadow IT. The relevant steps include:

1️⃣ Enable advanced features in Microsoft Defender for Endpoint (M365 Defender portal → Settings → Endpoints → Advanced features).

You must enable the following advanced features:

Microsoft Defender for Cloud Apps integration

Network protection (in block mode)

Custom network indicators (if applicable)These options allow Defender for Endpoint to share telemetry and enforce app restrictions received from Defender for Cloud Apps.

2️⃣ Configure Cloud Discovery settings in Microsoft Defender for Cloud Apps.

In the Defender for Cloud Apps portal, Cloud Discovery must be configured to receive continuous reports from Defender for Endpoint devices. Within these settings, you define sanctioned and unsanctioned applications. Once an app is marked as unsanctioned, Defender for Endpoint enforces blocking on all onboarded devices (like CLIENT1).

This two-part configuration ensures that MDE enforces the blocking of unsanctioned cloud applications discovered through Cloud App Security telemetry, fulfilling the business requirement that “All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.”

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel, Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension, Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector. Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mapped entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes. Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cloud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features, turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection prerequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → Cloud Discovery, configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps. In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned. Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., impossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” are C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security.