Microsoft Certified: Security Operations Analyst Associate SC-200 Book

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace . To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’ s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace( ' Fabrikam-WS ' ).SecurityEvent, workspace( ' Contoso-WS ' ).SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrik am needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

When dealing with frequent false positives in Microsoft Defender for Endpoint alerts, such as those triggered by legitimate Office macros, the best practice is to hide false alerts while maintaining overall protection.

Microsoft Defender documenta tion prescribes the following approach:

Generate the alert (E): The alert must first appear in the queue so it can be reviewed and correctly classified.

Hide the alert (B): Analysts can hide individual alerts to clean up the queue without disabling detections or reducing coverage.

Create a suppression rule scoped to a device group (D): To prevent recurrence, suppression rules should be scoped narrowly (such as to a device group like the accounting team’s devices), maintaining the principle of least p rivilege and minimal impact.

Options A (Resolve automatically) and C (Suppress any device) would reduce visibility or broaden suppression excessively, potentially missing real threats.

This combination of actions aligns with Defender XDR’s alert management best practices , ensuring a balance between reducing noise and preserving security posture.

To run a PowerShell script when a suspicious-IP access alert is raised for Storage, use Workflow automation in Defender for Cloud to trigger a Logic App whenever a matching security alert occurs. The Logic App should use the Azure Security Center (Defender for Clo ud) alert trigger , and from there you can call an Automation Runbook (PowerShell) or another action to execute your script. A manual or HTTP trigger isn’t needed because the flow must start automatically from the security alert, and an AAD app registration is not required for the basic alert-triggered flow.