Azure Sentinel Workspace Configuration for Automatic Response to Azure AD Risky Sign-Ins

Configuring Automatic Response to Azure AD Risky Sign-Ins in Azure Sentinel

Prev Question Next Question

Question

You have configured an Azure Sentinel Workspace and have an Azure AD Premium P2 subscription.

You wish to configure the solution to automatically respond to Azure AD risky sign-ins.

Within Azure Sentinel, what must you configure first?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D

You must first connect Azure Sentinel to Azure AD Identity Protection to receive alert data into Sentinel.

Connect to Azure AD Identity Protection Ifyou have an Azure AD Premium P2 subscription, Azure AD Identity Protection is included. If any policies are enabled and generating alerts, the alert data can easily be streamed into Azure Sentinel. 1. In Azure Sentinel, select Data connectors and then click the Azure AD Identity Protection tile. 2. Click Connect to start streaming Azure AD Identity Protection events into Azure Sentinel.
ane Selected workspace: 'testinel’ & Search (Ctri+/) « General © overview ® Logs @ News & guides Threat management incidents @ Workbooks © Hunting G)_ Notebooks Entity behavior © Threat intelligence (Preview) Configuration BE Data connectors © Analytics G watchlist (Preview % Automation & Solutions (Preview) 4 Community © Settings Azure Sentinel | Data connectors © Guides & Feedback C) Refresh 115 #0 Connectors Connected P Bearch by name or provider Providers : All Status Ty Connector name Ty Apache sep Aruba ClearPass (Preview) Aruba Networks tgp Atlassian Confluence Audit (Preview) Atlassian Atlassian Jira Audit (Preview) Atlassian Azure Active Directory + Microsoft Azure Active Directory Identity Protection + Microsoft q — Mure Activity Microsoft sep Azure DDoS Protection Microsoft @ Aue Defender Microsoft Data Types : All Status : All

Option A is incorrect.

While you can use Logic Apps in playbooks to automate your incident response and remediate security threats detected by Azure Sentinel, you first have to connect Sentinel to Azure AD Identity Protection to receive data into the solution.

Option B is incorrect.

Workbooks allows you to visualize and monitor data received from a connected source.

Hence not the correct answer.

Option C is incorrect.

Playbooks are indeed created to automate and orchestrate response to incidents and security threats based on workflows built in Azure Logic Apps.

But in this scenario you first have to connect Azure Sentinel to the Identity Protection data source.

Hence it is not the correct answer.

To know more about connecting Sentinel to identity protection, please refer to the link below:

To automatically respond to Azure AD risky sign-ins within Azure Sentinel, you must first configure a playbook.

A playbook is a set of instructions that define an automated response to a specific security event or incident. It enables you to automate the response process and can include multiple steps, such as alert notifications, remediation actions, and documentation.

To configure a playbook in Azure Sentinel, you can follow these steps:

  1. Open the Azure Sentinel workspace in the Azure portal.
  2. Click on "Playbooks" in the left-hand menu.
  3. Click on "Add playbook" to create a new playbook.
  4. Choose the "Azure AD risky sign-ins" template as the trigger for the playbook.
  5. Configure the actions that you want the playbook to perform in response to the trigger event.
  6. Save the playbook and enable it to begin running.

Once the playbook is configured, Azure Sentinel will automatically respond to Azure AD risky sign-ins according to the defined actions in the playbook.

In addition to configuring a playbook, you may also need to configure a data connector to ingest Azure AD sign-in data into Azure Sentinel. This can be done by selecting the Azure Active Directory connector from the available connectors and configuring it with the appropriate settings. However, this is not the first step you need to take when configuring an automated response to Azure AD risky sign-ins.

Prev Question Next Question