Microsoft SC-200 Practice Test - Questions Answers, Page 16

Box 1: Turn on Live Response Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.

Box: 2 : Add a network assessment job

Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/networkdevices?view=o365-worldwide

Box 1: join

An inner join.

This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.

This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.

DeviceInfo

//Query for devices that the potentially compromised account has logged onto | where LoggedOnUsers contains '<account-name>' | distinct DeviceId

//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables | join kind=inner AlertEvidence on DeviceId | project AlertId

//List all alerts on devices that user has logged on to

| join AlertInfo on AlertId

| project AlertId, Timestamp, Title, Severity, Category

DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"

Box 2: project

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingquery-emails-devices?view=o365-worldwide

Step 1: From Logic App Designer, create a logic app.

Create a logic app and define when it should automatically run

1. From Defender for Cloud's sidebar, select Workflow automation.

2. To define a new workflow, click Add workflow automation. The options pane for your new automation opens.

Here you can enter:

A name and description for the automation.

The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.

The Logic App that will run when your trigger conditions are met.

3. From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.

4. Etc.

Step 2: From Logic App Designer, run a trigger.

Manually trigger a Logic App

You can also run Logic Apps manually when viewing any security alert or recommendation.

Step 3: From Workflow automation in Defender for cloud, add a workflow automation.

Configure workflow automation at scale using the supplied policies

Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

Box 1: AzureActivity The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

Box 2: autocluster()

Example: description: | 'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source IP address from which it is being done is anomalous.

The query below generates known clusters of ip address per caller, notice that users which only had single operations do not appear in this list as we cannot learn from it their normal activity (only based on a single event). The activities for listing storage account keys is correlated with this learned clusters of expected activities and activity which is not expected is returned.

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"

| where ActivityStatusValue == "Succeeded"

| join kind= inner (

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"

| where ActivityStatusValue == "Succeeded"

| project ExpectedIpAddress=CallerIpAddress, Caller

| evaluate autocluster()

) on Caller

| where CallerIpAddress != ExpectedIpAddress

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds =

make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller,

CallerIpAddress

| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

Reference: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml

Step 1: From the Investigation blade, select Insights

The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities.

Step 2: From the Investigation blade, select the entity that represents VM1.

The Investigation Insights workbook is broken up into 2 main sections, Incident Insights and Entity Insights.

Incident Insights The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.

Entity Insights The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity. This workbook presently provides view of the following entity types:

IP Address

Account

Host

URL

Step 3: From the details pane of the incident, select Investigate.

Choose a single incident and click View full details or Investigate.

Reference:

https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview

https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases

An automation rule will allow you to specify which alerts should be suppressed, ensuring that failed sign-in alerts are generated for other accounts while minimizing administrative effort. To create an automation rule, navigate to the

Automation Rules page in the Microsoft Sentinel workspace and configure the rule parameters to suppress the false positive alerts.