Practice Test
True or False: Microsoft Sentinel is a security information event management (SIEM) system created by Microsoft.
- True
- False
Answer: True
Explanation: Microsoft Sentinel is a cloud-native, scalable, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Which one of the following roles can be configured in Microsoft Sentinel?
- A. Security Administrator
- B. Role Designer
- C. Role Manager
- D. Security Reader
Answer: A. Security Administrator
Explanation: The roles that can be configured in Microsoft Sentinel are Security Administrator, Security Operator, and Security Reader.
Microsoft Sentinel uses role-based access control (RBAC) to manage permissions. True or False?
- True
- False
Answer: True
Explanation: Microsoft Sentinel uses Azure’s RBAC to manage permissions, allowing for granular control over who has access to what resources.
Which of the following is not a role in Microsoft Sentinel?
- A. Security Operator
- B. Threat Intelligence Operator
- C. Metadata Manager
- D. Security Reader
Answer: C. Metadata Manager
Explanation: The roles in Microsoft Sentinel are Security Administrator, Security Operator, Security Reader, and Threat Intelligence Operator. Metadata Manager is not a role in Microsoft Sentinel.
Security Administrators in Microsoft Sentinel have the permission to view data but can’t change it. True or False?
- True
- False
Answer: False
Explanation: Security Administrators have permissions to view, edit, and delete resources in Microsoft Sentinel.
Which of these statements are true about the Security Reader role in Microsoft Sentinel?
- A. Can view data
- B. Can change data
- C. Can delete data
- D. Can configure playbooks
Answer: A. Can view data
Explanation: The Security Reader role has permission to view data, alerts, and incidents in Microsoft Sentinel but they can’t change or delete data or configure playbooks.
Which role has permissions to edit playbooks and analytics rules in Microsoft Sentinel?
- A. Security Operator
- B. Security Administrator
- C. Security Reader
- D. Threat Intelligence Operator
Answer: B. Security Administrator
Explanation: Security Administrators have permission to edit playbooks and analytics rules in Microsoft Sentinel, among other tasks.
In Microsoft Sentinel, a playbook can be configured by a Security Reader. True or False?
- True
- False
Answer: False
Explanation: In Microsoft Sentinel, a playbook can only be edited or configured by Security Administrators, not Security Readers.
Azure Active Directory is used in Microsoft Sentinel for managing RBAC. True or False?
- True
- False
Answer: True
Explanation: Microsoft Sentinel uses Azure Active Directory for user authentication and managing RBAC.
True or False: Security Administrators in Microsoft Sentinel are not allowed to change data alert rules.
- True
- False
Answer: False
Explanation: Security Administrators have permissions to edit and update the data alert rules in Microsoft Sentinel.
Microsoft Sentinel roles can be assigned at which of the following scopes?
- A. Resource
- B. Resource Group
- C. Subscription
- D. All of the Above
Answer: D. All of the Above
Explanation: In Microsoft Sentinel, roles can be assigned at the resource scope, the resource group scope, or the subscription scope, depending on the access level desired.
Which role in Microsoft Sentinel has permissions to triage and resolve security incidents?
- A. Security Operator
- B. Security Administrator
- C. Security Reader
- D. Threat Intelligence Operator
Answer: A. Security Operator
Explanation: The Security Operator role in Microsoft Sentinel can view data, alerts, incidents and bookmarks. They can also manage incidents, which include triage and resolve actions.
Multiple roles can be assigned to a single user in Microsoft Sentinel. True or False?
- True
- False
Answer: True
Explanation: In Microsoft Sentinel, like other Azure services, multiple roles can be assigned to a single user to provide granular security control and access.
The Threat Intelligence Operator role in Microsoft Sentinel is primarily tasked with managing threat intelligence indicators. True or False?
- True
- False
Answer: True
Explanation: The Threat Intelligence Operator role in Microsoft Sentinel is tasked with the management of threat intelligence indicators like creation, viewing, updating and deleting them.
As a security operator in Microsoft Sentinel, you can create or delete resources such as workbooks, playbooks, and analytic rules. True or False?
- True
- False
Answer: False
Explanation: The Security Operator role in Microsoft Sentinel can view data, alerts, incidents and bookmarks. They can also manage incidents, but they do not have permissions to create or delete resources like workbooks, playbooks, and analytic rules.
Interview Questions
1. What is Microsoft Sentinel?
Answer: Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution provided by Microsoft.
2. What is the role and usage of Microsoft Sentinel in cybersecurity?
Answer: Microsoft Sentinel provides intelligent security analytics at a cloud scale for your entire enterprise. It makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.
3. Where do you assign the roles in Microsoft Sentinel?
Answer: Roles in Microsoft Sentinel are assigned within the Azure portal.
4. Can you name some of the predefined roles in Microsoft Sentinel?
Answer: There are three predefined roles that come with Microsoft Sentinel: “Reader”, “Contributor” and “Resonder”.
5. What is the function of the “Reader” role in Microsoft Sentinel?
Answer: The “Reader” role can view all data, but cannot create or modify any resources, perform any actions or change role assignments.
6. What is the function of the “Contributor” role in Microsoft Sentinel?
Answer: The “Contributor” role can view, create and modify all resources, but it can’t change role assignments.
7. What is the function of the “Responder” role in Microsoft Sentinel?
Answer: The “Responder” role has similar permissions to the “Reader” role, but it can also dismiss and assign incidents.
8. Does Sentinel support custom roles?
Answer: No, custom roles are currently not supported in Microsoft Sentinel.
9. How do you assign roles in Microsoft Sentinel?
Answer: You can assign roles in Microsoft Sentinel by navigating to the Azure portal, selecting “Azure Sentinel”, finding the workspace, choosing “Access control (IAM)” and then adding a role assignment.
10. Which role should be given to a user who is responsible for managing incidents, but not allowed to modify any resources?
Answer: If a user needs to handle and assign incidents, but should not be allowed to modify resources, they should be given the “Responder” role.
11. Can contributors assign incidents in Microsoft Sentinel?
Answer: Yes, because the “Contributor” role in Microsoft Sentinel can modify resources, it allows the user to assign, dismiss and perform other actions on incidents.
12. How can a user be granted permission to only view the existing Sentinel cases without modifying them?
Answer: To grant a user the permission to only view existing Sentinel cases without modification, you can assign them the “Reader” role.
13. What prerequisite are required before you can assign a role in Azure Sentinel?
Answer: Before you can assign a role in Azure Sentinel, you must have the necessary permissions to do so, as well as have access to the wished workspace.
14. Is it possible to modify the “Reader”, “Contributor”, and “Responder” roles in Microsoft Sentinel?
Answer: No, you can not modify the predefined roles in Microsoft Sentinel.
15. What are “AuditLogs” data connectors in Microsoft Sentinel used for?
Answer: “AuditLogs” data connectors are used to stream the audit logs from your organization, which includes activity logs, into Microsoft Sentinel.
extutorials.com