Azure Sentinel Solutions Package

Deploying Azure Sentinel Solutions Package

Question

Which of the following can be deployed as part of an Azure Sentinel solutions package?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F. G.

Correct Answers: B, C, D, E, F, H and I.

Basics Analytics. Hunting Queries Playbooks —_Review + create

This Azure Sentinel Solution installs analytic rules for Microsoft Teams that you can enable for custom alert generation in
‘Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure
‘Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.

Learn more

External user added and removed in short timeframe

This detection flags the occurances of external user accounts that are added to a Team and then removed within one
hour.

Multiple Teams deleted by a single user

This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365,
Connector in Azure Sentinel.

Reference:

Azure Sentinel is a cloud-native security information and event management (SIEM) solution provided by Microsoft. It provides intelligent security analytics and threat intelligence across the enterprise, and helps to detect, investigate, and respond to threats across the organization. As part of an Azure Sentinel solutions package, the following components can be deployed:

A. Notebooks: Notebooks are interactive documents that combine live code, narrative text, and visualizations. In Azure Sentinel, notebooks are used for ad-hoc data analysis and exploration, and can be used to create custom dashboards or reports.

B. Data connectors: Data connectors are used to collect data from various sources and send them to Azure Sentinel. Azure Sentinel supports a wide range of data connectors, including Microsoft and third-party connectors.

C. Hunting queries: Hunting queries are used to proactively search for threats and anomalies in the data collected by Azure Sentinel. They are used to identify malicious activity and help prevent security incidents before they occur.

D. Watchlists: Watchlists are lists of entities, such as IP addresses, domains, or file hashes, that are monitored for suspicious activity. Azure Sentinel provides a number of built-in watchlists, and you can also create custom watchlists based on your organization's specific needs.

E. Parsers: Parsers are used to extract information from raw log data and convert it into a structured format that can be easily analyzed. Azure Sentinel provides a number of built-in parsers, and you can also create custom parsers based on your organization's specific needs.

F. Playbooks: Playbooks are automated response processes that are triggered when certain conditions are met. They can be used to automate common security tasks, such as blocking a malicious IP address or quarantining an infected machine.

G. Indicators of Compromise (IOCs): IOCs are artifacts that indicate a compromise has occurred or is likely to occur. Azure Sentinel supports a wide range of IOCs, including IP addresses, domains, file hashes, and more.

H. Analytics rules: Analytics rules are used to detect suspicious activity in the data collected by Azure Sentinel. They are used to identify security incidents and trigger alerts or automated responses.

I. Workbooks: Workbooks are customizable dashboards that provide visualizations and insights into the data collected by Azure Sentinel. They are used to monitor security metrics and provide insights into the organization's security posture.

In summary, an Azure Sentinel solutions package can include a wide range of components, including notebooks, data connectors, hunting queries, watchlists, parsers, playbooks, IOCs, analytics rules, and workbooks. These components work together to provide intelligent security analytics and threat intelligence across the enterprise, and help to detect, investigate, and respond to threats across the organization.