SC-200 Exam Dumps : Microsoft Security Operations Analyst

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel, Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension, Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector. Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

In Microsoft Defender for Endpoint (Plan 2), you can use indicator file hashes (IoC file hashes) to block files from executing or being downloaded. When you create a file hash indicator, you specify the exact file hash (for example, SHA-256 or MD5) and choose actions such as “block” or “remediate.”

However, an important detail is that file hash indicators are applied to specific files—that is, for a given executable or file content. You cannot use a hash indicator to block all files of a certain extension generically. If a given file has a different hash, it will not be blocked unless you add its specific hash. Because the question says you found suspected malware files sys, pdf, docx, xlsx, and you need to block users from downloading those files, only those files for which you can compute and apply a specific hash indicator can be blocked. The question implies you can create indicator hashes for each of those file names (assuming each has a unique hash).

Thus you can block all four (File1.sys, File2.pdf, File3.docx, File4.xlsx) by adding each as an indicator hash. The choice E lists all four. That is consistent with Microsoft’s statements that “you can create indicators that define detection, prevention, or exclusion of entities,” and file hash indicators specifically apply to those files. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

Options that exclude some file types (e.g. only blocking sys and docx but not pdf or xlsx) would leave gaps, which doesn’t satisfy the requirement of blocking all those suspected files. Hence E is the correct answer.