Configure Azure Sentinel for Automated Response to Azure AD Risky Sign-Ins

Configure Azure Sentinel for Automated Response

Prev Question Next Question

Question

You have configured an Azure Sentinel Workspace and have an Azure AD Premium P2 subscription.

You wish to configure the solution to automatically respond to Azure AD risky sign-ins.

Within Azure Sentinel, what must you configure first?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D

You must first connect Azure Sentinel to Azure AD Identity Protection to receive alert data into Sentinel.

Connect to Azure AD Identity Protection Ifyou have an Azure AD Premium P2 subscription, Azure AD Identity Protection is included. If any policies are enabled and generating alerts, the alert data can easily be streamed into Azure Sentinel. 1. In Azure Sentinel, select Data connectors and then click the Azure AD Identity Protection tile. 2. Click Connect to start streaming Azure AD Identity Protection events into Azure Sentinel.
ane Selected workspace: 'testinel’ & Search (Ctri+/) « General © overview ® Logs @ News & guides Threat management incidents @ Workbooks © Hunting G)_ Notebooks Entity behavior © Threat intelligence (Preview) Configuration BE Data connectors © Analytics G watchlist (Preview % Automation & Solutions (Preview) 4 Community © Settings Azure Sentinel | Data connectors © Guides & Feedback C) Refresh 115 #0 Connectors Connected P Bearch by name or provider Providers : All Status Ty Connector name Ty Apache sep Aruba ClearPass (Preview) Aruba Networks tgp Atlassian Confluence Audit (Preview) Atlassian Atlassian Jira Audit (Preview) Atlassian Azure Active Directory + Microsoft Azure Active Directory Identity Protection + Microsoft q — Mure Activity Microsoft sep Azure DDoS Protection Microsoft @ Aue Defender Microsoft Data Types : All Status : All

Option A is incorrect.

While you can use Logic Apps in playbooks to automate your incident response and remediate security threats detected by Azure Sentinel, you first have to connect Sentinel to Azure AD Identity Protection to receive data into the solution.

Option B is incorrect.

Workbooks allows you to visualize and monitor data received from a connected source.

Hence not the correct answer.

Option C is incorrect.

Playbooks are indeed created to automate and orchestrate response to incidents and security threats based on workflows built in Azure Logic Apps.

But in this scenario you first have to connect Azure Sentinel to the Identity Protection data source.

Hence it is not the correct answer.

Reference:

To know more about connecting Sentinel to identity protection, please refer to the link below:

To automatically respond to Azure AD risky sign-ins within Azure Sentinel, the first thing that must be configured is a playbook.

A playbook is a series of automated steps or actions that are executed in response to a security event. In this case, a playbook can be created to respond to Azure AD risky sign-ins by performing a specific action, such as blocking the user's account or requiring additional authentication steps.

Once the playbook has been created, it can then be triggered by a data connector. A data connector is used to collect data from various sources, such as Azure AD logs, and send that data to Azure Sentinel for analysis. In this case, the data connector would be used to collect data on risky sign-ins and trigger the playbook to respond.

It's important to note that a Logic App solution or a workbook can also be used within Azure Sentinel, but they are not the first thing that must be configured in order to automatically respond to Azure AD risky sign-ins. A Logic App solution is a type of workflow that can be used to integrate and automate tasks across different systems and services, while a workbook is a customizable dashboard that provides insights and visualizations of data within Azure Sentinel.

Prev Question Next Question