Manage Security Operations Flashcards

1
Q

Which role provides permissions to view data, incidents, workbooks, and all Azure Sentinel resources?

A

Which role provides permissions to view data, incidents, workbooks, and all Azure Sentinel resources?

The Azure Sentinel Reader role has permissions to view data, incidents, workbooks, and all Azure Sentinel resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which role provides the ability to manage incidents?

A

Which role provides the ability to manage incidents?

The Azure Sentinel Responder role has all the permissions of Azure Sentinel Reader plus the ability to manage incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which role provides permissions to read, write, and delete all Azure Sentinel related resources. This role will provide the permissions to create and edit workbooks?

A

Which role provides permissions to read, write, and delete all Azure Sentinel related resources. This role will provide the permissions to create and edit workbooks?

The Azure Sentinel Contributor role has permissions to read, write, and delete all Azure Sentinel related resources. This role Will provide the permissions to create and edit workbooks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which Azure Sentinel role provides permissions to be able to configure a playbook, and create a Logic App?

A

Which Azure Sentinel role provides permissions to be able to configure a playbook, and create a Logic App?

The Azure Sentinel Contributor role provides permissions to configure a playbook and Logic App Contributor role provides permissions to create a Logic App.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Azure Sentinel Incident Owner

A

Azure Sentinel Incident Owner

The incident detailed information includes its severity, summary of the number of entities involved, the raw events that triggered this incident, and the incident’s unique ID. All incidents start as unassigned. For each incident you can assign an owner, by setting the Incident owner field. You can also add comments so that other analysts will be able to understand what you investigated and what your concerns are around the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Azure Sentinel Build-in Roles

A

Azure Sentinel Build-in Roles

The Sentinel built-in roles are reader, responder, and contributor.

There is no owner role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Azure Sentinel Notebook

A

Azure Sentinel Notebook

A notebook is a step-by-step playbook where you can walk through to the steps of an investigation and hunt. Other hunting techniques are described by the other choices: built-in query, bookmarks, and event tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Azure Security Center Dashboard Secure Score

A

Azure Security Center Dashboard Secure Score

The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. Security Center reviews your security recommendations across all workloads, uses algorithms to determine how critical each recommendation is, and calculates a Secure Score which is displayed on the Overview page. 

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Two fundamental data types that Azure Monitor uses?

A

Two fundamental data types that Azure Monitor uses? Metrics and Logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Processed events that Azure Security Center produces are published to …

A

Processed events that Azure Security Center produces are published to the Azure activity log, one of the log types available through Azure Monitor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is used to stream log data from Azure Monitor to Azure Sentinel or a partner SIEM and monitoring tools?

A

What is used to stream log data from Azure Monitor to Azure Sentinel or a partner SIEM and monitoring tools?

Event Hubs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Stream log data from Azure Monitor to Azure Sentinel or a partner SIEM and monitoring tools. What are the tiers of monitoring data that can be sent to the Event Hub?

A

Stream log data from Azure Monitor to Azure Sentinel or a partner SIEM and monitoring tools. What are the tiers of monitoring data that can be sent to the Event Hub?

  • Application monitoring data - Data about the performance and functionality of the code you have written and are running on Azure.
    • By instrumenting your code with an SDK such as the Application Insights SDK.
    • By running a monitoring agent that listens for new application logs on the machine running your application, such as the Windows Azure Diagnostic Agent or Linux Azure Diagnostic Agent.
  • Guest OS monitoring data - Data about the operating system on which your application is running. Examples of guest OS monitoring data would be Linux syslog or Windows system events. To collect this type of data, you need to install an agent such as the Windows Azure Diagnostic Agent or Linux Azure Diagnostic Agent.
  • Azure resource monitoring data - Data about the operation of an Azure resource. For some Azure resource types, such as virtual machines, there is a guest OS and application(s) to monitor inside of that Azure service. For other Azure resources, such as Network Security Groups, the resource monitoring data is the highest tier of data available (since there is no guest OS or application running in those resources). This data can be collected using resource diagnostic settings.
  • Azure subscription monitoring data - Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself. The activity log contains most subscription monitoring data, such as service health incidents and Azure Resource Manager audits. You can collect this data using a Log Profile.
  • Azure tenant monitoring data - Data about the operation of tenant-level Azure services, such as Azure Active Directory. The Azure Active Directory audits and sign-ins are examples of tenant monitoring data. This data can be collected using a tenant diagnostic setting.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What connectors does Azure Sentinel come with out of the box and provide real-time integration?

A

What connectors does Azure Sentinel come with out of the box and provide real-time integration?

  • Microsoft Threat Protection solutions
  • Microsoft 365 sources, including Microsoft 365
  • Azure AD
  • Azure ATP
  • Microsoft Cloud App Security
  • Connectors to non-Microsoft solutions using CEF, Syslog, or REST-API
  • And more…
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Where does Azure Security Center store data that it collects?

Where does Azure Sentinel store data from data sources?

A

Where does Azure Security Center store data that it collects?

Log Analytics Workspace (LAW) where it can be analyzed with other log data.

Where does Azure Sentinel store data from data sources?

Log Analytics Workspace (LAW)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the ways you can start Log Analytics?

A

What are the ways you can start Log Analytics?

  • Select Logs from the Azure Monitor menu or Log Analytics workspaces menu.
  • Select Analytics from the Overview page of an Application Insights application.
  • Select Logs from the menu of an Azure resource.

Note: The scope of the data available depends on how you start it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly