Evaluate alerts and incidents in Microsoft Sentinel

Practice Test

True or False. You are able to create custom rules for alerts in Microsoft Sentinel?

• True
• False

Answer: True

Explanation: Microsoft Sentinel allows you to customise rules for alerts to tailor them to your specific security needs.

In Azure Sentinel, what happens when an incident is closed?

• A. The incident disappears from the system.
• B. The incident is archived and removed from the active incidents list.
• C. The alert associated with the incident is also closed.
• D. All of the above

Answer: B. The incident is archived and removed from the active incidents list.

Explanation: When an incident is closed in Azure Sentinel, it will be archived and removed from the active incidents list. The alerts associated with the incident are not closed automatically.

What is the maximum number of alerts that an incident can contain?

• A. 500
• B. 1000
• C. 10,000
• D. There’s no limit.

Answer: D. There’s no limit.

Explanation: There is no limit to the number of alerts that an incident can contain in Microsoft Sentinel.

True or False. Azure Sentinel only supports the evaluation of security alerts generated within Azure.

• True
• False

Answer: False

Explanation: Azure Sentinel can evaluate security alerts generated not only within Azure but also from other sources through connectors.

What is the purpose of the incidents page in Azure Sentinel?

• A. To display all the rules that have been created.
• B. To show all the alerts that have been triggered.
• C. To list the incidents that have been created from the alerts.
• D. To configure the alert rules for Sentinel.

Answer: C. To list the incidents that have been created from the alerts.

Explanation: The incidents page in Azure Sentinel is primarily for viewing and managing the incidents that have been created from the alerts.

Which of the following can be used to automate response to incidents?

• A. Azure Functions
• B. Azure Logic Apps
• C. Azure Automation
• D. All of the above

Answer: D. All of the above

Explanation: All these Azure services can be used to automate responses to incidents in Azure Sentinel.

True or False. Microsoft Sentinel cannot triage and investigate incidents.

• True
• False

Answer: False

Explanation: Microsoft Sentinel provides capabilities for effective triage and investigation of incidents to help you understand the scope and impact of threats.

What view would you use in Azure Sentinel to get a holistic view of all the alerts?

• A. Dashboard view
• B. Incidents view
• C. Alerts view
• D. Analytics view

Answer: B. Incidents view

Explanation: The Incidents view provides a comprehensive view of all the alerts that have triggered in the system.

True or False. Alert rules and analytics run in real-time in Azure Sentinel.

• True
• False

Answer: False

Explanation: Alert rules and analytics run periodically in Azure Sentinel, not in real-time.

In Microsoft Sentinel, an “incident” refers to:

• A. A failed security rule.
• B. A group of related alerts.
• C. An individual security alert.
• D. A logged security event without an associated alert.

Answer: B. A group of related alerts.

Explanation: In the context of Microsoft Sentinel, an “incident” refers to a grouping of related alerts that were triggered by a potential security threat.

Which of the following does not contribute to the severity level of an incident in Microsoft Sentinel?

• A. The severity levels of the alerts in the incident.
• B. The number of alerts in the incident.
• C. The incidence of repeated alerts.
• D. The source of the incident.

Answer: D. The source of the incident.

Explanation: The severity level of an incident is determined by factors like the severity levels of the alerts within it, the number of alerts in the incident and the incidence of repeated alerts but not the source of the incident.

Interview Questions

What is Microsoft Azure Sentinel?

Azure Sentinel is Microsoft’s cloud-native SIEM (Security Information and Event Management) service with built-in AI (Artificial Intelligence) for analytics. It allows organizations to monitor security data across the entire enterprise and mitigates threats before they cause harm.

How does Microsoft Sentinel evaluate alerts?

Azure Sentinel evaluates alerts by correlating the different data streams using powerful analytics and AI, thereby identifying potential security threats. It further aggregates and prioritizes alerts to focus on what is most important.

What are the key components of an Incident in Azure Sentinel?

The key components of an Incident in Azure Sentinel are alerts, entities, and bookmarks. Alerts notify about potential threats, entities provide information about involved accounts, hosts, etc. and bookmarks store useful data points for further analysis.

How does automated response work in Azure Sentinel?

Automated responses in Azure Sentinel are designed using playbooks, which are collections of procedures that can be run from Azure Sentinel. They are essentially Logic Apps that help automate and orchestrate responses to alerts.

`enter code here`

What does Sensitive Info Type (SIT) stand for in Azure Sentinel?

Sensitive Info Type (SIT) in Azure Sentinel is a pattern of characters that corresponds to sensitive information like credit card numbers, Social Security numbers, or bank account numbers. It’s used to detect, identify and protect such sensitive data.

Which standard query language does Azure Sentinel use?

Azure Sentinel uses Kusto Query Language (KQL) which is a read-only language to query, analyze and visualize data.

When analyzing the Severity of an incident in Azure Sentinel, what does a High Severity incident indicate?

High Severity indicates the incident has a significant threat and could potentially result in severe impact or damage to an organization if not addressed immediately.

What is a threat intelligence indicator (TII) in Azure Sentinel

A threat intelligence indicator (TII) is an attribute derived from threat intelligence that is associated with malicious activities. These could include IP addresses, URLs, or file hashes and more used in cyber-attacks.

What purpose does the Microsoft Threat Intelligence Center (MSTIC) serve in Azure Sentinel?

Microsoft Threat Intelligence Center (MSTIC) provides cloud-based threat intelligence feeds that allow you to detect threats quickly. This feature in Azure Sentinel helps to enrich alerts, log data, and improve threat hunting.

Can Azure Sentinel be used to collect and analyze data from on-premises systems?

Yes, Azure Sentinel can collect and analyze data from hybrid environments including both cloud and on-premises systems.

How can you reduce false-positive alerts in Azure Sentinel?

False-positive alerts in Azure Sentinel can be reduced by fine-tuning analytics rule parameters, establishing thresholds, and setting exclusion rules based on known safe behavior.

What is the role of Notebooks in Azure Sentinel?

Azure Notebooks provide a collaborative environment to run code and queries for threat hunting or investigation. They can be used to automate, record, and share investigations.

Can Azure Sentinel integrate with third-party solutions?

Yes, Azure Sentinel can integrate with a wide range of third-party solutions for seamless data import and automated response actions.

How does Azure Sentinel support regulatory compliance?

Azure Sentinel provides features like audit and logging, data retention policies, and granular access controls to meet regulatory compliance requirements.

What types of data connectors are supported in Azure Sentinel?

Azure Sentinel supports various data connectors for Microsoft solutions, third-party solutions, and other data sources, including but not limited to Office 365, Azure AD, Microsoft Cloud App Security, AWS CloudTrail, Barracuda, and more.