Azure Sentinel Roles Assignment

Group A: Threat Intelligence Indicator Replacement

Question

Your company starts using Azure Sentinel.

The manager wants the administration of the implemented solution to be divided into two groups, Group A and Group B, where: Group A takes responsibility for replacing the tags of Threat Intelligence Indicator. Group B takes responsibility for adding playbooks to automation rules. You need to assign the appropriate roles for both groups to fulfill the manager's request.

How should you assign the roles? To answer, drag the appropriate role to each group.

A role may be used once, more than once, or not at all.

Drag and drop the answers Group A: ___________________________ Group B: ___________________________

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answers: A and C Group A: Responder (Option a is the correct answer)

Group B: Sentinel Automation Contributor (Option c is the correct answer)

You should assign the Responder role to Group A.

This role gives the user permission to manage incidents in Azure Sentinel (like assigning users for incidents, dismissing alerts, etc.) and to view several Azure Sentinel resources, including reports, incidents, and workbooks.

This role also gives permission to replace Tags of Threat Intelligence Indicator.

This role does not give permission to add playbooks to automation rules.

Threat Intelligence Indicator is a cloud-based solution used within companies to analyze and act upon threat activities.

You should assign the Azure Sentinel Automation Contributor role to Group.

B.

In addition to viewing Azure Sentinel resources, managing incidents, and working with workbooks, this role allows Azure Sentinel to add playbooks to automation rules.

This meets the scenario requirement.

You should not assign the Reader role to either group.

This role gives a user permission to view incidents in Azure Sentinel, but not the permission to replace tags of Threat Intelligence Indicator or to add playbooks to automation rules as required in the scenario.

You should not assign the Security Assessment Contributor role to either of the groups.

This role gives permission to create security assessments on the company's Azure Sentinel subscription, which is useful for knowing if another subscription of Azure Sentinel is needed.

This role does not give the permission to replace tags of Threat Intelligence Indicator or to add playbooks to automation rules as required in the scenario.

References:

To fulfill the manager's request, the appropriate roles should be assigned to Group A and Group B in Azure Sentinel.

Group A takes responsibility for replacing the tags of Threat Intelligence Indicator. So, they require a role that allows them to modify the threat intelligence information. The Responder role in Azure Sentinel can be used for this purpose. This role allows managing incidents, adding and removing labels to threats, as well as updating the severity of incidents. Therefore, the Responder role should be assigned to Group A.

Group B takes responsibility for adding playbooks to automation rules. They need a role that allows them to create automation rules and add playbooks. The Sentinel Automation Contributor role in Azure Sentinel can be used for this purpose. This role allows creating and modifying automation rules, including adding playbooks to them. Therefore, the Sentinel Automation Contributor role should be assigned to Group B.

The other two roles, Reader and Sentinel Assessment Contributor, are not necessary for fulfilling the manager's request. The Reader role only allows viewing data in Azure Sentinel, but not modifying it, which is not required for either Group A or Group B. The Sentinel Assessment Contributor role allows creating, modifying, and deleting security assessments. However, this role is not related to the tasks that Group A or Group B are responsible for.