SKILLCERTPRO

SC-200 Master Cheat Sheet

Manage a security operations environment (25–30%)

Configure settings in Microsoft Defender XDR
Configuring a Connection from Defender XDR to a Sentinel Workspace:

 Defender XDR (Extended Detection and Response): A comprehensive security platform from
Microsoft that consolidates and analyzes data from various sources like endpoints, cloud
workloads, identities, and emails. It provides advanced threat detection, investigation, and
response capabilities.

 Sentinel: A cloud-native security information and event management (SIEM) solution from
Microsoft that helps you collect, analyze, and respond to security events from across your
organization.

Purpose:

 Connecting Defender XDR to Sentinel allows you to leverage Sentinel's powerful analytics
and security orchestration and automation (SOAR) capabilities to enrich and enhance threat
insights from Defender XDR data.

 This enables you to create more comprehensive threat detection rules, conduct deeper
investigations, and automate security responses within Sentinel.

General Steps:

1. Enable Data Collection: Ensure data collection is enabled in Defender XDR for the data
categories you want to send to Sentinel.

2. Set Up Connection: In your Sentinel workspace, navigate to the "Data connectors" section
and search for "Microsoft Defender XDR." Follow the on-screen instructions to establish the
connection with your Defender XDR environment.

3. Configure Data Mapping (Optional): If necessary, you can customize how specific data fields
are mapped between Defender XDR and Sentinel to better align with your needs.

Configuring Alert and Vulnerability Notification Rules:

Alerts:

 Notifications triggered by security events that might indicate potential threats.

 Can be based on security logs, network traffic analysis, or other sources.

Vulnerabilities:

 Weaknesses in systems or software that attackers can exploit.

Purpose:

 Define rules to receive timely notifications about critical security events and identified
vulnerabilities.

 This enables you to prioritize and respond to potential threats effectively.

pg. 1
 SKILLCERTPRO

General Steps:

1. Identify Triggers: Determine the events or conditions that should trigger an alert or
vulnerability notification. This might involve analyzing existing security incidents, reviewing
compliance requirements, or considering risk assessments.

2. Define Severity Levels: Assign severity levels to alerts and vulnerabilities based on their
potential impact and urgency.

3. Configure Notification Channels: Choose how you want to receive notifications, such as
email, SMS, or integration with other tools.

4. Tune and Test: Regularly evaluate, refine, and test your rules to ensure they accurately
represent your security needs and avoid generating excessive or unhelpful notifications.

Configuring Microsoft Defender for Endpoint Advanced Features:

Defender for Endpoint: Microsoft's endpoint protection platform (EPP) that provides a range of
features to protect devices from malware, viruses, zero-day attacks, and other threats.

Advanced Features (Examples):

 Endpoint analytics: Provides deep insights into endpoint activity to detect potential threats
and suspicious behaviors.

 Attack surface reduction rules (ASR): Block or mitigate vulnerabilities by controlling how
applications interact with the operating system and resources.

 Network isolation: Restrict communication between endpoints and potentially compromised

network segments.

 Controlled folder access: Prevent unauthorized modifications to specific folders on

endpoints to protect critical files.

Purpose:

 Leverage advanced features within Defender for Endpoint to further strengthen your
endpoint security posture.

 These features offer more granular control and proactive protection against sophisticated
threats.

General Approach:

 Carefully review available documentation and resources from Microsoft to understand the
specific configuration options and potential implications for your environment.

 Only enable and configure features that align with your organization's security posture and
risk tolerance.

 Consider conducting pilot tests in controlled environments before deploying advanced

features to your entire production environment.

Configuring Endpoint Rules Settings, Including Indicators and Web Content Filtering:

Endpoint Rules:

pg. 2
 SKILLCERTPRO

 Policies applied to endpoints that define allowed or blocked behaviors, configurations, and
activities.

Indicators:

 Specific information about potential threats, such as malicious file hashes, URLs, IP
addresses, or indicators of compromise (IOCs).

Web Content Filtering:

 Restricting access to certain websites or categories of websites considered risky or

inappropriate.

Purpose:

 Use endpoint rules to enforce security policies and control endpoint behavior.

 Leverage indicators to identify and block known threats.

 Implement web content filtering to limit access to potentially harmful content and improve
user productivity.

General Steps:

1. Define Allowed and Blocked Activities: Determine which applications, processes, and
network connections are allowed or blocked on your endpoints.

2. Create Indicators: Compile a list of known malicious indicators based on threat intelligence
sources, internal security reports, or collaboration with external partners.

Managing Automated Investigation and Response (IR):

Automated IR: Utilizing tools and workflows to automatically investigate and respond to security
incidents, potentially isolating compromised systems, blocking malicious activity, or remediating
threats.

Steps (general overview):

1. Defender for Cloud or Sentinel: Utilize built-in automation capabilities or explore integration
with third-party IR frameworks.

2. Playbooks: Develop or utilize pre-built playbooks defining automated actions to be taken

upon specific security events.

3. Testing and refinement: Thoroughly test and refine automated IR processes to ensure
effectiveness and avoid unintended consequences.

Configuring Automatic Attack Disruption:

Automatic attack disruption: Taking immediate measures to halt ongoing cyberattacks, such as
isolating infected devices, blocking network traffic, or shuingng down processes.

Steps (general overview):

1. Defender for Cloud or Sentinel: Explore advanced threat protection and response features
within these platforms.

pg. 3
 SKILLCERTPRO

2. Configuration: Depending on the chosen platform, configure specific seingngs for automatic
attack disruption based on predefined triggers or threat detection rules.

3. Testing and refinement: Similar to automated IR, thoroughly test and refine the
configuration to ensure it disrupts attacks without causing unintended disruptions to
legitimate operations.

Manage assets and environments

Configure and Manage Device Groups, Permissions, and Automation Levels in Microsoft Defender
for Endpoint:

 Device Groups:

o Create logical groupings of devices based on factors like operating system,

department, or security risk level.

o This aids in efficient policy application, alert management, and vulnerability

scanning.

o Use Defender for Endpoint's console or PowerShell cmdlets for creation.

 Permissions:

o Define user and group access levels to various Defender for Endpoint functionalities.

o Granular control ensures only authorized personnel can perform specific actions like
isolating compromised devices.

o Manage permissions in the console or via PowerShell.

 Automation Levels:

o Configure automated responses to security incidents based on severity and pre-

defined rules.

o This empowers faster incident resolution and reduces manual intervention.

o Options include automatic isolation, remediation actions, and quarantine.

o Set automation levels in the console or through PowerShell.

Identify and Remediate Unmanaged Devices in Microsoft Defender for Endpoint:

 Identify Unmanaged Devices:

o Utilize features like network discovery and asset inventory tools to locate devices not
actively reporting to Defender for Endpoint.

o Unmanaged devices pose security risks as they lack protection and monitoring.

o Defender for Endpoint console or PowerShell cmdlets can help identify them.

 Remediate Unmanaged Devices:

o Employ tools like Group Policy or Intune to deploy the Defender for Endpoint agent
on unmanaged devices.

pg. 4
 SKILLCERTPRO

o Ensure all devices within your network are protected and monitored.

o Specific steps depend on your management tools and configurations.

Manage Resources by Using Azure Arc:

 Azure Arc:

o A hybrid management platform that extends Azure capabilities to on-premises,

multi-cloud, and edge environments.

o Enables centralized management and governance for resources across diverse

landscapes.

 Resource Management:

o Provision, configure, and monitor resources like VMs, Kubernetes clusters, and
databases using Azure Arc.

o This centralizes management and simplifies operations for heterogenous

environments.

Connect Environments to Microsoft Defender for Cloud (by using multi-cloud account
management):

 Microsoft Defender for Cloud:

o A unified security platform for cloud workloads, providing threat detection,

investigation, and remediation across Azure, AWS, GCP, and other environments.

 Multi-Cloud Account Management:

o Connect and manage Defender for Cloud across multiple cloud subscriptions and
accounts, offering consolidated security visibility and control.

o Use the Azure portal or Azure CLI to connect environments.

Discover and Remediate Unprotected Resources by Using Defender for Cloud:

 Resource Discovery:

o Defender for Cloud automatically discovers resources within your connected cloud
environments.

o This includes Azure resources, as well as workloads running on other cloud providers
(AWS, GCP, etc.).

 Unprotected Resource Remediation:

o Identify resources that lack security configurations or are not actively protected by
Defender for Cloud.

o Apply recommendations and remediate vulnerabilities to improve your overall

security posture.

o Defender for Cloud provides guidance and recommendations for remediation.

Identify and Remediate Devices at Risk by Using Microsoft Defender Vulnerability Management:

pg. 5
 SKILLCERTPRO

 Microsoft Defender Vulnerability Management:

o A vulnerability scanning and patching solution within Microsoft Defender for

Endpoint.

o Identifies security vulnerabilities on managed devices and facilitates patching.

 Risk Identification:

o Defender for Endpoint scans devices to detect known vulnerabilities and assess their
severity.

o Prioritize vulnerabilities based on risk and exploitability to focus remediation efforts.

 Vulnerability Remediation:

o Apply security patches or mitigate vulnerabilities based on Defender for Endpoint's

recommendations.

o Patching can be automated or performed manually.

Design and configure a Microsoft Sentinel workspace

Planning a Microsoft Sentinel Workspace:

 Define Workspace Purpose and Scope:

o Determine the specific security needs and goals you want to address.

o Consider the types of logs you'll collect and analyze (e.g., security events, network
traffic, identity data).

o Establish the geographic location(s) where data will be stored based on compliance
or data residency requirements.

 Choose the Right Workspace Tier:

o Evaluate factors like data volume, ingestion rate, and retention needs.

o Select from tiers like "Free," "Standard," or "Premium" based on your requirements.

o Consideration: Microsoft Sentinel offers a free tier for low-volume environments,

but it has limited features and capabilities.

 Plan Data Collection and Ingestion:

o Identify the sources of security data you'll collect (e.g., Azure resources, Microsoft
365, on-premises systems).

o Choose appropriate data connectors or agents to collect and transport logs to

Sentinel.

o Configure data sources and connectors through Sentinel's user interface or API.

o Note: Be mindful of data privacy regulations when collecting and storing sensitive
information.

pg. 6
 SKILLCERTPRO

Configuring Microsoft Sentinel Roles:

 Understand Role Hierarchy and Permissions:

o Sentinel utilizes Azure Active Directory (Azure AD) roles to grant specific permissions
for workspace access and management.

o Roles are assigned to users or groups to control their capabilities within the
workspace.

 Essential Roles and Their Responsibilities:

o Security Reader: View data and dashboards, but cannot modify configurations.

o Security Operator: Perform routine tasks, investigate incidents, and modify

configurations.

o Security Admin: Manage all aspects of the workspace, including user access and
configuration changes.

o Log Analytics Reader: Access and analyze logs collected in Sentinel using Log
Analytics workspace.

 Assigning Roles:

o Use the Azure portal, Azure PowerShell, or Azure CLI to assign roles at the workspace
level or to individual users or groups.

Specifying Azure RBAC Roles for Microsoft Sentinel Configuration:

 Understanding Azure RBAC:

o Azure Resource Manager (ARM) uses Azure RBAC to control access to Azure
resources, including Sentinel workspaces.

o Roles define the actions users can perform on specific resources.

 Required Roles for Sentinel Configuration:

o Log Analytics Contributor: Create and manage Log Analytics workspaces (required
for Sentinel).

o Microsoft.Security/workspaces/write: Manage Sentinel workspace configuration,

data connectors, and seingngs.

o Additional Roles may be needed:

 For specific data sources like Azure VMs, additional roles like "Virtual
Machine Contributor" might be necessary.

 Consider the principle of least privilege, granting only the minimum

permissions required for each user's role.

 Granting RBAC Roles:

o Utilize the Azure portal, Azure PowerShell, or Azure CLI to assign RBAC roles to users,
groups, or service principals.

pg. 7
 SKILLCERTPRO

Designing and Configuring Microsoft Sentinel Data Storage:

 Understanding Data Storage Options:

o Sentinel works seamlessly with Azure Log Analytics workspaces for storing and
analyzing collected data.

o Logs are stored in tables that can be queried using Kusto Query Language (KQL).

 Log Types and Retention:

o Define the log types (e.g., security events, network traffic) you want to collect based
on your security needs.

o Designate a retention period for each log type considering compliance requirements,
storage costs, and analysis needs.

 Configuring Data Storage:

o During workspace creation, specify the desired retention period for each log type.

o Sentinel automatically manages data storage and deletion based on your

configurations.

o Tip: It's recommended to retain security event logs for longer durations for security
analysis and forensic investigations.

Managing Multiple Workspaces with Workspace Manager and Azure Lighthouse:

 Workspace Manager:

o This Azure portal tool facilitates centralized management and monitoring of multiple
Sentinel workspaces across subscriptions.

o Use it to:

 View summaries of workspace health and performance.

 Run queries across multiple workspaces simultaneously.

 Simplify tasks like updating data connectors and managing alerts.

 Azure Lighthouse:

o Enables Managed Service Providers (MSPs) or security teams to deliver and manage
Sentinel workspaces across customer subscriptions.

o Provides delegated access and control over workspaces without requiring direct
subscription ownership.

 Choosing the Right Tool:

o Workspace Manager is ideal

Ingest data sources in Microsoft Sentinel

Identifying Data Sources for Microsoft Sentinel:

pg. 8
 SKILLCERTPRO

 What are data sources? Data sources are any systems or applications that generate security
logs, alerts, or other relevant information about your environment. Examples include:

o Microsoft products like Microsoft 365 Defender, Azure Security Center, Azure Active
Directory, and more

o On-premises security solutions

o Network devices like firewalls and intrusion detection systems (IDS)

o Custom applications

 Why is it important? Identifying the right data sources is critical for comprehensive security
monitoring. By collecting data from various sources, you gain a broader view of potential
threats and suspicious activities.

 How to do it?

o Review your environment: Start by understanding the security solutions and

applications deployed in your organization, both on-premises and in the cloud.

o Identify relevant data: Determine what type of data each source can provide, such
as security events, alerts, network traffic, and more.

o Prioritize based on risk: Focus on gathering data from sources that are most relevant
to your security posture and risk profile.

Configuring and Using Microsoft Connectors for Azure Resources:

 What are connectors? Connectors are pre-built integrations that simplify the process of
collecting data from various Azure services into Microsoft Sentinel. They automate data
ingestion and configuration, saving you time and effort.

 What specific connectors are relevant?

o Azure Policy connector: Provides insights into policy violations and helps you track
security compliance within your Azure environment.

o Azure Diagnostics connector: Enables collection of diagnostic logs from Azure

resources, providing valuable troubleshooting and monitoring data.

 How to configure them?

o Go to the Data connectors section in Microsoft Sentinel.

o Find the desired connector (e.g., "Azure Policy").

o Click Connect and follow the on-screen instructions, providing necessary

authentication details.

o Once connected, configure the specific data you want to collect and define any
filtering criteria.

Configuring Bidirectional Synchronization:

 What is bidirectional synchronization? This allows for seamless exchange of security

information between Microsoft Sentinel and other security tools. It ensures that both

pg. 9
 SKILLCERTPRO

systems have the latest insights and can trigger automated responses based on events
detected in either platform.

 Specific configurations:

o Between Microsoft Sentinel and Microsoft Defender XDR: This enables

comprehensive threat detection and investigation by combining XDR's extended
detection and response (XDR) capabilities with Sentinel's powerful analytics and
automation features.

o Between Microsoft Sentinel and Microsoft Defender for Cloud: Allows for
integrated security management across cloud workloads and Sentinel's centralized
event collection and analysis.

 How to configure? The specific steps vary depending on the chosen configuration. Refer to
Microsoft's official documentation for detailed instructions: https://learn.microsoft.com/en-
us/credentials/certifications/exams/sc-200/

Planning and Configuring Syslog and CEF Collection:

 What are Syslog and CEF? These are standard protocols for logging and communicating
security events between devices and security information and event management (SIEM)
systems like Microsoft Sentinel.

 Planning considerations:

o Identify devices and applications that support Syslog or CEF: Determine which
systems in your environment generate logs using these protocols.

o Define log formats and severity levels: Decide which data fields you need to collect
and set the severity level (e.g., informational, warning, critical) for each type of
event.

 Configuration steps:

o Refer to the documentation of your Syslog or CEF-enabled devices for specific

configuration seingngs.

o In Microsoft Sentinel, go to Data connectors and search for the relevant connector
(e.g., "Syslog").

o Provide the necessary configuration details, including the IP address or hostname of

your Syslog/CEF server and the port it listens on.

Planning and Configuring Windows Security Events Collection:

 What are Windows Security events? Windows operating systems generate various security-
related events that can be valuable for monitoring and detecting suspicious activities.

 Planning considerations:

o Determine the type of events you need: Analyze the potential security risks in your
environment and choose the appropriate Windows Security event logs to collect
(e.g., security audit logs, system logs).

 Configuration steps:

pg. 10
 SKILLCERTPRO

o Using Data Collection Rules (DCRs): In Microsoft Sentinel, create a new DCR and
select Windows as the data source.

o Specify the target group of machines to collect data from and choose the specific
event logs you want to include.

o Alternatively, you can use Windows Event Forwarding (WEF): Configure WEF

Configuring Threat Intelligence Connectors:

Threat intelligence (TI) is crucial for security analysts to stay informed about the latest threats and
vulnerabilities. SC-200 covers configuring various connectors to bring external TI feeds into Microsoft
Sentinel, a security information and event management (SIEM) platform. Here are the mentioned
connector types:

 Platform Connectors: These pre-built connectors integrate directly with other Microsoft
security products like Microsoft Defender for Cloud or Microsoft 365 Defender, allowing you
to receive relevant threat alerts and indicators from those sources.

 TAXII (Trusted Automated Exchange of Indicator Information) Connectors: This standard

enables communication with security information sharing communities, allowing you to
receive threat indicators from various sources using the TAXII protocol.

 Upload Indicators API: This option allows you to upload custom threat indicators (e.g., IP
addresses, URLs) directly into Sentinel using an API call.

 MISP (Malware Information Sharing Platform) Connectors: MISP is another platform for
sharing threat information. This connector allows you to integrate your Sentinel instance
with MISP to receive and share threat intelligence data.

Creating Custom Log Tables in the Workspace:

Sentinel stores ingested data from various sources, including security products, network devices, and
applications. This data is stored in log tables within the workspace. SC-200 emphasizes the ability to
create custom log tables to manage specific data types or tailor data organization for efficient
analysis. Here's what you need to know:

 Schema Definition: You define the structure of the table by specifying the data types (e.g.,
string, integer) and names of each column.

 Data Mapping: You map incoming data to specific columns in the table, ensuring the data is
stored and organized appropriately.

 Normalization: You can optimize data storage and improve query performance by
normalizing the data structure, which involves eliminating redundancy and organizing data
into related tables.

Configure protections and detections (15–20%)

Configure protections in Microsoft Defender security technologies
Configuring Policies for Microsoft Defender for Cloud Apps (MCDA):

pg. 11
 SKILLCERTPRO

 MCDA protects against cloud application threats by analyzing user activity, detecting
suspicious behavior, and enforcing access controls.

 You can configure policies to:

o Control access: Define allowed and blocked applications, configure multi-factor

authentication, and set session timeouts.

o Detect threats: Set anomaly detection rules to identify unusual user activity or data
access attempts.

o Prevent data loss: Implement data loss prevention (DLP) policies to restrict sensitive
data sharing.

Configuring Policies for Microsoft Defender for Office (MDO):

 MDO protects against threats like phishing emails, malware, and malicious attachments in
Microsoft Office applications.

 You can configure policies to:

o Enable anti-malware protection: Scan emails, documents, and attachments for

malware.

o Filter phishing emails: Block emails with malicious URLs or attachments commonly
used in phishing attacks.

o Control application features: Disable features like macros or external data

connections that can be exploited by attackers.

Configuring Security Policies for Microsoft Defender for Endpoints (MDE):

 MDE protects devices like laptops and servers against malware, vulnerabilities, and other
threats.

 You can configure policies to:

o Enable real-time protection: Continuously monitor devices for suspicious activity

and block threats.

o Configure attack surface reduction (ASR) rules: These rules block specific techniques
commonly used by attackers, such as disabling security software or exploiting
vulnerabilities.

o Define device exclusions: Specify devices that shouldn't be scanned or protected by

MDE.

Configuring Cloud Workload Protections in Microsoft Defender for Cloud (MDC):

 MDC protects cloud resources like Azure virtual machines and containers from threats.

 You can configure policies to:

o Enable continuous security assessment: Identify vulnerabilities and

misconfigurations in your cloud resources.

pg. 12
 SKILLCERTPRO

o Monitor and respond to threats: Receive alerts about suspicious activity and take
action to mitigate threats.

o Enforce security best practices: Implement policies that ensure your cloud resources
are configured securely.

Resources for further study:

 Microsoft SC-200 Exam Skills Measured: https://learn.microsoft.com/en-

us/credentials/certifications/exams/sc-200/

 Microsoft Defender for Cloud Apps Documentation: https://learn.microsoft.com/en-

us/azure/defender-for-cloud/

 Microsoft Defender for Office Documentation: https://learn.microsoft.com/en-us/microsoft-

365/security/defender/microsoft-365-security-center-mdo?view=o365-worldwide

 Microsoft Defender for Endpoints Documentation: https://learn.microsoft.com/en-

us/microsoft-365/security/defender-endpoint/?view=o365-worldwide

 Microsoft Defender for Cloud Documentation: https://learn.microsoft.com/en-

us/azure/defender-for-cloud/

Configure detection in Microsoft Defender XDR

Configure and Manage Custom Detections in Microsoft Defender XDR:

 Purpose: Create custom detection rules to identify specific security events not covered by
built-in detections. These rules leverage queries written in Kusto Query Language (KQL) to
analyze security data and generate alerts.

 Process:

1. Create the Rule: Use the Microsoft Defender Security Center (MDSC) portal to
navigate to Hunting > Custom detection rules. Click Create new rule.

2. Define the Query: Use KQL to define the query that identifies the desired security
event. KQL allows filtering data based on various criteria like device, user, process,
file, and registry entries.

3. Configure Settings: Define the schedule for running the query (e.g., hourly, daily), set
severity level for generated alerts, and choose the target scope (e.g., specific
devices, all devices).

4. Test and Deploy: Test the rule using the Run now option and review the generated
alerts for accuracy. Once satisfied, deploy the rule to the desired scope.

 Management:

o Review and Modify: Monitor triggered alerts and modify the rule's query or seingngs
as needed.

o Enable/Disable: Temporarily disable rules for maintenance or troubleshooting.

pg. 13
 SKILLCERTPRO

o Permissions: Requires "Manage security seingngs" permission in MDSC with Role-

Based Access Control (RBAC) enabled.

Configure Alert Tuning in Microsoft Defender XDR:

 Purpose: Reduce alert fatigue and improve the efficiency of security analysts by
automatically managing specific alerts.

 Process:

1. Access Settings: Navigate to Settings > Rules > Alert tuning in MDSC.

2. Create Tuning Rule: Click Add new rule.

3. Define Conditions: Specify conditions based on evidence types (e.g., files, processes)
or entity properties (e.g., device name, user account) to identify the target alerts.

4. Choose Action: Select the desired action for matching alerts. Options include:

 Suppress: Hide the alert from the queue.

 Resolve: Mark the alert as resolved.

 Assign a severity level: Adjust the severity of the alert.

 Run a script: Automate specific actions for specific alerts.

 Benefits:

o Reduces time spent on irrelevant alerts.

o Prioritizes critical alerts for faster investigation.

o Automates incident response actions for common scenarios.

Configure Deception Rules in Microsoft Defender XDR:

 Purpose: Deploy deceptive resources (e.g., fake files, registry keys) to attract and mislead
attackers, revealing their presence and intentions.

 Process:

1. Enable Deception: Navigate to Settings > Deception in MDSC.

2. Deploy Decoys: Choose the types of deceptions to deploy, such as folders, files, or
registry keys.

3. Customize Appearance: Configure decoy behavior and appearance to mimic

legitimate resources.

4. Monitor and Investigate: Monitor alerts triggered by interactions with deceptions to

identify potential attacker activity.

 Benefits:

o Proactively detects attackers actively searching for specific resources.

o Provides valuable insights into attacker tactics, techniques, and procedures (TTPs).

pg. 14
 SKILLCERTPRO

o Limits attacker dwell time and reduces potential damage.

Remember: This explanation provides a high-level overview. Refer to Microsoft's official

documentation for detailed configuration steps, advanced options, and best practices:

 Create and manage custom detection rules: https://learn.microsoft.com/en-us/microsoft-

365/security/defender/eval-overview?view=o365-worldwide

 Investigate alerts in Microsoft Defender XDR: https://learn.microsoft.com/en-us/microsoft-

365/security/defender/?view=o365-worldwide

 Overview of custom detections in Microsoft Defender XDR: https://www.microsoft.com/en-

us/security/business/solutions/extended-detection-response-xdr

Configure detections in Microsoft Sentinel

Classify and Analyze Data by Using Entities:

 Entities: These are real-world objects like users, computers, IP addresses, etc., found in
security data. Sentinel automatically extracts entities from various sources like logs, network
traffic, and endpoint data.

 Classification: You can categorize entities based on their type, risk level, or other relevant
factors. This helps you filter and analyze data efficiently. For example, you can filter events
related to a specific user or device.

 Analysis: Once entities are classified, you can use them to conduct deeper analysis. You can
create queries that search for specific combinations of entities and events to identify
potential security incidents.

Configure Scheduled Query Rules, including KQL:

 Scheduled Query Rules: These are automated queries that run at specific intervals (daily,
weekly, etc.) and search for security events matching defined criteria.

 Kusto Query Language (KQL): This is a powerful query language used in Sentinel to search
and analyze data. You can use KQL to filter events based on various criteria, including
timestamps, entities, event types, etc.

 Configuring Rules: You can define the query logic using KQL within the scheduled rule
configuration. This allows you to automate data analysis and receive alerts when specific
events occur.

Configure Near-Real-Time (NRT) Query Rules, including KQL:

 NRT Query Rules: These rules are similar to scheduled ones, but they run continuously and
analyze data in near real-time. This provides faster detection of potential threats.

 Use Case: NRT rules are ideal for monitoring critical security events like suspicious login
attempts or malware activity. They allow you to identify and respond to threats quickly.

 Configuration: Similar to scheduled rules, you define the KQL-based query logic within the
NRT rule configuration for real-time analysis.

Manage Analytics Rules from Content Hub:

pg. 15
 SKILLCERTPRO

 Content Hub: This is a repository within Sentinel where you can find pre-built queries,
workbooks, and other security content. These resources can be used to create or modify
your own analytics rules.

 Analytics Rules: These are broader concepts encompassing both scheduled and NRT rules.
They define the overall logic for analyzing data and generating alerts.

 Management: The Content Hub allows you to easily import, modify, and manage your entire
collection of analytics rules from a central location. This streamlines security operations and
ensures consistency in your threat detection strategy.

Configure anomaly detection analytics rules:

Anomaly detection analytics rules are essential for identifying suspicious activities in Microsoft
Sentinel. They leverage data patterns and baselines to spot deviations that might indicate threats.
Here's how to configure them:

 Define the data source: Specify the data table (e.g., security events, network logs) where the
rule will analyze data.

 Choose the detection logic: Select a pre-built rule or create a custom one using Kusto Query
Language (KQL). KQL allows you to filter, aggregate, and analyze security data for anomaly
detection.

 Set sensitivity and thresholds: Define how sensitive the rule should be to anomalies and set
thresholds to trigger alerts when anomalies exceed a specific level.

 Enable the rule: Once configured, activate the rule to start monitoring data and generate
alerts for potential threats.

Configure the Fusion rule:

The Fusion rule is a pre-built analytics rule in Sentinel that goes beyond simple anomaly detection. It
correlates security events from various sources, including Microsoft 365 Defender, Azure Defender,
and third-party security products. This correlation helps you connect the dots and gain a broader
understanding of potential attacks. Here's the configuration process:

 Enable the Fusion rule: This can be done through the Sentinel portal by navigating to the
"Analytics" section and activating the "Fusion" rule.

 Configure specific detections: While the Fusion rule is pre-built, you can customize its
behavior by defining specific detections you want to focus on. This can involve selecting
specific data sources or threat categories.

 Tune sensitivity and thresholds: Similar to anomaly detection rules, you can adjust the
sensitivity and thresholds to control the number of alerts generated by the Fusion rule.

Query Microsoft Sentinel data using ASIM parsers:

ASIM (Advanced SIEM Information Model) parsers are a standardized format for representing
security events. These parsers allow Sentinel to understand and analyze data from various sources,
even if they follow different log formats. Here's how to query Sentinel data using ASIM parsers:

 Identify the ASIM table: Locate the specific ASIM table containing the data you want to
query. You can find a list of available tables in Sentinel documentation.

pg. 16
 SKILLCERTPRO

 Craft your KQL query: Use the KQL syntax to filter, aggregate, and analyze data within the
chosen ASIM table.

 Run the query and analyze results: Once your query is written, run it in Sentinel to retrieve
the desired information. Understand the results in the context of your security investigation.

Manage and use threat indicators:

Threat indicators are specific pieces of information, like IP addresses, URLs, or file hashes, associated
with known or potential threats. Sentinel allows you to manage and use these indicators to enhance
threat detection capabilities. Here's an overview:

 Create and import indicators: You can manually define indicators in Sentinel or import them
from external sources like threat intelligence feeds.

 Associate indicators with detections: Link indicators to specific analytics rules or

investigations to enrich their context and improve threat detection accuracy.

 Utilize indicators for blocking and enrichment: Sentinel can leverage indicators to block
suspicious traffic or enrich security events by associating them with known threats.

Manage incident response (35–40%)

Respond to alerts and incidents in Microsoft Defender XDR
Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive:

 This involves understanding how to identify suspicious activities within these collaboration
platforms. This could include:

o Analyzing user access logs for unusual access patterns or unauthorized access
attempts.

o Detecting suspicious file uploads or downloads, especially large file transfers or

unauthorized sharing.

o Identifying malware or malicious content uploaded to these platforms.

 Remediation involves taking actions to neutralize threats, such as:

o Isolating compromised accounts or devices.

o Removing malicious content.

o Reporting incidents and collaborating with IT teams to address the root cause.

Investigate and remediate threats in email using Microsoft Defender for Office:

 This focuses on using Defender for Office to detect and respond to threats delivered via
email, including:

o Phishing attacks: Identifying emails that attempt to trick users into clicking malicious
links or attachments.

o Spam: Filtering out unsolicited and unwanted emails.

pg. 17
 SKILLCERTPRO

o Malware: Detecting and removing malicious software delivered through email

attachments.

 Remediation involves:

o Isolating and deleting malicious emails.

o Educating users to identify and avoid falling victim to email threats.

Investigate and remediate threats like Ransomware and Business Email Compromise (BEC)
identified by automatic attack disruption:

 This covers investigating incidents automatically detected by Microsoft 365 services, such as:

o Ransomware: Identifying and responding to attempts to lock down user data and
demand ransom for its release.

o BEC: Investigating fraudulent emails that impersonate legitimate senders to trick

victims into transferring money or sharing sensitive information.

 Remediation involves:

o Restoring data backups (if available) to recover from attacks.

o Reporting incidents to authorities and collaborating with IT teams to improve

security posture.

Investigate and remediate compromised entities identified by Microsoft Purview DLP policies:

 This involves using data loss prevention (DLP) policies configured in Microsoft Purview
(formerly Microsoft Information Protection) to identify and investigate:

o Data exfiltration attempts: Unauthorized attempts to transfer sensitive data outside

the organization.

o Accidental data leaks: Inadvertent data sharing through unauthorized channels.

 Remediation involves actions like:

o Preventing the data transfer if detected in progress.

o Educating users about data security best practices.

o Reporting incidents and reviewing existing DLP policies for effectiveness.

Investigate and remediate threats identified by Microsoft Purview insider risk policies:

 This involves understanding how to leverage insider risk management features within
Microsoft Purview to investigate suspicious user activities, such as:

o Downloading large amounts of confidential data.

o Accessing unauthorized files or systems.

o Engaging in unusual access patterns.

 Remediation can involve actions like:

o Investigating the user's intent and potential violations of company policies.

pg. 18
 SKILLCERTPRO

o Employing additional security measures like reseingng passwords or restricting access

based on the risk assessment.

Investigate and Remediate Alerts and Incidents Identified by Microsoft Defender for Cloud:

 Microsoft Defender for Cloud: A cloud-native security platform that continuously scans and
analyzes your cloud resources for vulnerabilities, threats, and misconfigurations.

 Investigating Alerts: Analyzing alerts generated by Defender for Cloud to determine their
severity, potential impact, and source. This may involve reviewing logs, examining security
events, and understanding the context of the alert.

 Remediation: Taking actions to address the identified issue. This could involve isolating
affected resources, patching vulnerabilities, or quarantining compromised machines.

Investigate and Remediate Security Risks Identified by Microsoft Defender for Cloud Apps:

 Microsoft Defender for Cloud Apps: A cloud-based security solution that protects your
organization from threats across various cloud applications, including SaaS, PaaS, and IaaS.

 Investigation: Analyzing alerts and reports generated by Defender for Cloud Apps to identify
potential risks like suspicious user activities, data leaks, or malware infections.

 Remediation: Taking steps to mitigate the identified risk. This may involve blocking malicious
activities, revoking user access, or isolating compromised applications.

Investigate and Remediate Compromised Identities in Microsoft Entra ID:

 Microsoft Entra ID: A comprehensive identity and access management (IAM) solution that
helps secure user access and identities across various platforms.

 Investigation: Identifying indicators of compromised identities, such as unusual login

attempts, suspicious activity from unauthorized locations, or access attempts from known
compromised devices.

 Remediation: Taking actions to secure the compromised identity. This may involve reseingng
passwords, enforcing multi-factor authentication (MFA), or disabling compromised accounts.

Investigate and Remediate Security Alerts from Microsoft Defender for Identity:

 Microsoft Defender for Identity: An on-premises security solution that detects and responds
to suspicious activities and potential threats on your identity infrastructure (e.g., Active
Directory).

 Investigation: Analyzing alerts generated by Defender for Identity to understand the nature
of the suspicious activity, its potential impact, and the affected identities. This may involve
reviewing logs, analyzing network traffic, and identifying involved devices.

 Remediation: Taking necessary actions to address the threat. This could involve isolating
compromised devices, reseingng user passwords, or implementing access controls to prevent
further attacks.

Manage Actions and Submissions in the Microsoft Defender portal:

 Microsoft Defender portal: A central hub for managing all your Microsoft security solutions,
including Defender for Cloud, Defender for Cloud Apps, Defender for Identity, and others.

pg. 19
 SKILLCERTPRO

 Action Management: Performing various actions on detected threats and vulnerabilities

within the Defender portal. This may involve initiating investigations, assigning remediation
tasks, or submiingng suspicious artifacts for further analysis.

 Submission Management: Submiingng samples of suspicious files, malware, or other artifacts

to Microsoft for further analysis and threat intelligence development.

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

Investigate Timeline of Compromised Devices:

This task involves understanding the sequence of events related to a potentially compromised
device. The goal is to determine when and how the compromise occurred, what actions the attacker
took, and the extent of the damage.

Here are some key activities involved:

 Analyzing security logs: This includes reviewing logs from various sources like the operating
system, applications, and security tools. You'll look for suspicious activities like unexpected
login attempts, file modifications, or network connections.

 Utilizing endpoint detection and response (EDR) tools: Microsoft 365 Defender and
Defender for Cloud are relevant tools in this context. These tools provide detailed
information about events on the device, including timestamps and associated processes.

 Correlating data from different sources: Combine information from logs, EDR tools, network
activity monitoring (NAM) systems, and other security tools to build a complete picture of
the timeline.

 Identifying the initial compromise vector: This involves understanding how the attacker
gained access to the device, such as through phishing emails, malware downloads, or
vulnerabilities exploited.

Perform Actions on the Device (Live Response and Collecting Investigation Packages):

Once you have a better understanding of the compromise, you can take specific actions on the
device to:

 Contain the threat: This might involve isolating the device from the network, disabling user
accounts, or stopping malicious processes.

 Collect evidence: Use live response tools to gather data from the device's memory, running
processes, and registry. This evidence can be used for further analysis and forensic
investigation.

 Remediate the issue: Depending on the severity of the compromise, actions like removing
malware, patching vulnerabilities, or restoring the system from a backup might be necessary.

Perform Evidence and Entity Investigation:

This involves analyzing the collected evidence to identify the scope and impact of the compromise. It
also helps in understanding the attacker's motivations and techniques.

Here's a breakdown of some key steps:

pg. 20
 SKILLCERTPRO

 Analyzing collected data: This might involve examining memory dumps, network traffic
captures, and registry entries for suspicious activity indicators (SAIs) or indicators of
compromise (IOCs).

 Identifying compromised entities: This includes users, machines, and data that were
potentially affected by the attack.

 Reconstructing the attack flow: Based on the evidence, recreate the sequence of steps the
attacker took to compromise the system.

 Identifying potential root cause: Determine the vulnerabilities or misconfigurations that

allowed the attacker to gain access.

Enrich investigations by using other Microsoft tools

Investigate threats using Unified Audit Log:

 The Unified Audit Log (UAL) is a centralized location in Microsoft 365 that collects audit data
from various Microsoft services like Azure AD, Microsoft Exchange, and SharePoint Online.

 Security analysts use UAL to investigate suspicious activities, identify potential security
incidents, and understand user actions within the environment.

 UAL allows filtering and searching based on various criteria, including:

o Users: Investigate activities performed by specific users.

o Devices: Analyze actions taken from specific devices.

o Applications: Focus on activities related to specific applications.

o Timeframes: Narrow down the investigation window to pinpoint suspicious

activities.

 By analyzing UAL data, security analysts can:

o Detect unauthorized access attempts.

o Identify data exfiltration attempts.

o Investigate potential privilege escalations.

o Understand user behavior patterns to identify anomalies.

Investigate threats using Content Search:

 Content Search is another key tool in Microsoft 365 for investigating threats. It allows
searching across various content sources like mailboxes, OneDrive storage, SharePoint sites,
and Teams chats.

 Security analysts utilize Content Search to:

o Find specific emails containing keywords or phrases indicative of malicious activity,

such as phishing attempts or malware distribution.

pg. 21
 SKILLCERTPRO

o Identify documents containing sensitive information that might have been leaked
accidentally or through malicious intent.

o Locate specific files based on their properties, like creation date or modification
time, potentially linked to suspicious activity.

 By using advanced search queries and filters, analysts can narrow down their search scope
and efficiently pinpoint relevant information related to a potential security threat.

Perform threat hunting using Microsoft Graph activity logs:

 Microsoft Graph provides a programmatic interface to access data from various Microsoft
services, including Azure AD, Exchange Online, and OneDrive.

 Activity logs within Microsoft Graph capture details about user and application activities
within these services.

 Security analysts can leverage Microsoft Graph APIs to query activity logs and hunt for
threats proactively. This involves creating custom scripts or using tools like Microsoft Sentinel
to:

o Identify anomalous user behavior patterns, for example, unusual login attempts from
unexpected locations.

o Detect suspicious application access attempts, especially for applications not

commonly used within the organization.

o Monitor for specific events that might indicate potential security incidents, such as
data deletion or file modification attempts.

By mastering these skills in investigating threats using UAL, Content Search, and Microsoft Graph,
security analysts can be more effective in detecting, analyzing, and responding to security threats
within their Microsoft 365 environment.

Manage incidents in Microsoft Sentinel

Triage Incidents:

Triage is the initial assessment of an incident to determine its severity and priority. This involves:

 Navigating the Incidents tab: Locate the incident list within the Microsoft Sentinel portal.

 Selecting the incident: Choose the specific incident you want to triage.

 Assigning a severity level: Utilize the "Severity" dropdown menu to assign a level (e.g., low,
medium, high, critical) based on the potential impact and urgency.

 Saving the changes: Ensure the chosen severity level is applied to the incident.

Microsoft Sentinel also offers an incident triage dashboard providing a high-level overview of:

 Incident status: Track the number of open, assigned, and closed incidents.

 Performance metrics: Monitor key indicators like time to resolution and analyst workload.

Investigate Incidents:

pg. 22
 SKILLCERTPRO

Investigation involves further analysis to understand the incident's scope, root cause, and potential
consequences. This entails:

 Gathering data: Utilize various sources within Sentinel, including logs, alerts, and threat
intelligence.

 Analyzing data: Employ techniques like entity enrichment, threat hunting queries, and
timeline analysis to identify patterns and connections.

 Correlating events: Combine data points from different sources to establish a comprehensive
picture of the incident.

 Documenting findings: Record key observations, steps taken, and potential outcomes for
future reference and collaboration.

Microsoft Sentinel provides tools to support investigation, such as:

 Incident details page: View all relevant information about the incident in a centralized
location.

 Query capabilities: Leverage Kusto Query Language (KQL) to search and analyze data
efficiently.

 Hunting queries: Utilize pre-built or custom queries to identify specific indicators of

compromise (IOCs) and suspicious activities.

 Entity graph: Visualize relationships between entities involved in the incident, aiding in
understanding the attack flow.

Respond to Incidents:

Responding involves taking necessary actions to contain, eradicate, and recover from the incident.
This may include:

 Isolating affected systems: Prevent further compromise by isolating compromised systems

from the network.

 Disabling compromised accounts: Revoke access to compromised accounts to prevent

further exploitation.

 Remediating threats: Apply appropriate actions to neutralize the identified threat, such as
removing malware or patching vulnerabilities.

 Reporting the incident: Notify relevant stakeholders and authorities as per your
organization's incident response plan.

Microsoft Sentinel offers functionalities to streamline incident response, including:

 Playbooks: Automate pre-defined workflows for common incident response procedures.

 Automation rules: Trigger automated actions based on specific criteria, expediting response
times.

 Integration with third-party tools: Connect Sentinel with other security tools to share
information and orchestrate responses across platforms.

pg. 23
 SKILLCERTPRO

Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel

Create and configure automation rules

 Purpose: Streamline security operations by automatically responding to security alerts and

incidents.

 Tools: Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Sentinel

 Steps:

1. Define conditions: Specify the criteria that must be met for the rule to activate, such
as specific alerts, severity levels, or threat indicators.

2. Select actions: Choose the automated response that the rule will execute, such as
isolating compromised machines, blocking suspicious IP addresses, or quarantining
files.

3. Test and refine: Thoroughly test the rule in a non-production environment to ensure
it functions as intended and doesn't introduce unintended consequences.

Create and configure Microsoft Sentinel playbooks:

 Purpose: Orchestrate complex security workflows involving multiple tasks and tools.

 Tools: Microsoft Sentinel

 Steps:

1. Plan the playbook: Design the sequence of actions and decision points that the
playbook will execute.

2. Build the playbook: Use Sentinel's visual designer or code-based approach (KQL) to
create tasks within the playbook, such as running hunting queries, invoking
automation rules, or sending notifications.

3. Test and fine-tune: Verify the playbook's functionality and make adjustments as
needed.

Configure analytic rules to trigger automation:

 Purpose: Use automation rules to respond to security events detected by analytic rules.

 Tools: Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Sentinel

 Steps:

1. Create an analytic rule: Define the conditions that will trigger the rule, typically
based on security logs, network traffic, or endpoint activity.

2. Link the rule to an automation rule: Specify which automation rule should be
executed when the analytic rule detects an event that meets its criteria.

3. Verify the connection: Ensure the analytic rule can successfully trigger the
associated automation rule.

Trigger playbooks manually from alerts and incidents:

pg. 24
 SKILLCERTPRO

 Purpose: Manually execute a playbook in response to a specific security alert or incident,

allowing for tailored responses in nuanced situations.

 Tools: Microsoft Sentinel

 Steps:

1. Open the alert or incident details: Navigate to the alert or incident in Microsoft
Sentinel.

2. Locate the "Run playbook" option: This option might be presented within the alert
or incident context menu or details.

3. Select the desired playbook: Choose the appropriate playbook to address the
specific situation.

4. Review and confirm: Verify the execution and monitor the playbook's actions to
ensure it achieves the intended outcome.

Run playbooks on On-premises resources:

 Purpose: Extend the reach of Sentinel playbooks to on-premises devices and systems beyond
cloud environments.

 Requirements:

o Hybrid connectivity: Establish a connection between Sentinel (cloud-based) and on-

premises resources using Azure Logic Apps or other means.

o On-premises agents: Install and configure relevant security agents or tools on on-
premises machines to provide telemetry and allow for remote operations execution.

 Steps:

1. Establish connectivity: Set up the necessary infrastructure to bridge Sentinel and on-
premises systems.

2. Prepare on-premises resources: Deploy security agents or configure tools that can receive
and execute commands from Sentinel playbooks.

3. Design playbooks: Incorporate tasks that leverage on-premises agents or tools for actions
like running scripts, collecting data, or taking specific actions on devices.

Perform threat hunting (15–20%)

Hunt for threats by using KQL
Identifying Threats using Kusto Query Language (KQL):

 KQL: It's a query language specifically designed for analyzing data stored in Azure Data
Explorer and Microsoft Sentinel.

 Identifying Threats: Security analysts use KQL to write queries that search for suspicious
activities or events within security logs. These queries can help identify potential threats like:

o Unusual login attempts.

pg. 25
 SKILLCERTPRO

o Accesses from unauthorized locations.

o Changes to critical system configurations.

o Malware activity.

 Example: You can write a KQL query to find all login attempts from a specific IP address
within a certain timeframe. If you suspect malicious activity from that IP, this query can
reveal relevant login attempts for further investigation.

Interpreting Threat Analytics in the Microsoft Defender Portal:

 Microsoft Defender Portal: This is a unified platform for managing and analyzing security
data across various Microsoft security solutions like Microsoft 365 Defender, Azure Defender,
and Microsoft Defender for Endpoint.

 Threat Analytics: The portal provides various tools and visualizations to help analysts
understand the security posture of their environment. These include:

o Attack timelines: Showing the sequence of events associated with a potential attack.

o Alerts: Highlighting potential security incidents requiring investigation.

o Security scores: Providing an overall assessment of the organization's security

posture.

 Interpretation: Security analysts need to interpret the information presented in the portal to
understand the nature and severity of potential threats. This involves:

o Analyzing attack timelines to identify the initial point of compromise and the
attacker's actions.

o Investigating alerts to determine their legitimacy and potential impact.

o Understanding security scores and their components to identify areas requiring

improvement.

Creating Custom Hunting Queries using KQL:

 Hunting Queries: These are proactive queries written in KQL to search for specific indicators
of compromise (IOCs) or suspicious patterns within security data.

 Customizing Queries: While the Defender Portal offers pre-built queries, analysts often need
to create custom queries tailored to their specific needs. This allows them to search for:

o New and unknown threats not covered by pre-built queries.

o Threats specific to their organization's environment and configuration.

 Benefits: Creating custom hunting queries empowers analysts to be more proactive in threat
hunting and potentially identify threats before they cause significant damage.

Further Resources:

 Microsoft Learn SC-200 Exam Page: https://learn.microsoft.com/en-

us/credentials/certifications/exams/sc-200/

pg. 26
 SKILLCERTPRO

 Kusto Query Language Documentation: https://learn.microsoft.com/en-us/azure/data-

explorer/kusto/query/

 Microsoft Defender for Cloud Documentation: https://learn.microsoft.com/en-

us/azure/defender-for-cloud/

Hunt for threats by using Microsoft Sentinel

Analyze Attack Vector Coverage by Using the MITRE ATT&CK in Microsoft Sentinel:

 MITRE ATT&CK: This is a globally recognized knowledge base for cyber adversary tactics,
techniques, and procedures (TTPs).

 Using MITRE ATT&CK in Microsoft Sentinel: Sentinel integrates with ATT&CK, allowing you
to:

o Map detected security events to specific ATT&CK techniques. This helps identify
potential gaps in your security posture and prioritize threat hunting efforts.

o Utilize pre-built queries and hunting scenarios based on ATT&CK techniques. This
streamlines the process of searching for malicious activity related to known attack
methods.

Customize Content Gallery Hunting Queries:

 Content Gallery: This is a repository within Microsoft Sentinel that contains pre-built hunting
queries for various purposes, such as detecting specific threats or investigating suspicious
activities.

 Customizing Hunting Queries: You can modify existing queries from the content gallery to
tailor them to your specific needs and environment. This allows you to:

o Refine the query to focus on specific data sources or event types.

o Adjust the logic of the query to match your unique detection requirements.

Use Hunting Bookmarks for Data Investigations:

 Hunting Bookmarks: These are temporary markers you can set within a hunting query to
capture specific points of interest during an investigation.

 Benefits of Hunting Bookmarks:

o Save time and effort by quickly revisiting relevant sections of your investigation.

o Share bookmarks with other analysts to collaborate and share findings efficiently.

Monitor Hunting Queries by Using Livestream:

 Livestream: This is a feature in Microsoft Sentinel that provides real-time results of a running
hunting query.

 Benefits of Livestream:

o Gain immediate insights into the ongoing investigation and identify potential
threats as they emerge.

pg. 27
 SKILLCERTPRO

o Quickly react to security incidents without waiting for the query to complete.

Retrieve and Manage Archived Log Data:

 Archived Log Data: Security-related events are often stored in Sentinel's archive for historical
analysis and compliance purposes.

 Retrieving and Managing Archived Data:

o You can retrieve specific archived logs for further investigation or compliance
reporting.

o Sentinel offers tools to manage the archive storage size and retention policies for
archived data.

Create and Manage Search Jobs:

 Search Jobs: These are longer-running queries that can be scheduled to scan large datasets
within Sentinel.

 Use Cases for Search Jobs:

o Run complex queries that require extensive data processing.

o Schedule regular searches for routine security checks or threat hunting activities.

Analyze and interpret data by using workbooks

Activate and customize Microsoft Sentinel workbook templates:

 Activating templates: Sentinel provides built-in templates for common security scenarios,
such as investigating suspicious activities or monitoring specific vulnerabilities. You can
activate these templates to create a pre-defined workbook with relevant data visualizations
and queries.

 Customizing templates: Once activated, you can customize these templates to fit your
specific needs. This might involve:

o Adding or removing data sources: You can add data from additional sources
available in Sentinel to gain a broader perspective.

o Modifying queries: You can adjust the KQL (Kusto Query Language) queries within
the template to filter data and display information most relevant to your
investigation.

o Editing visualizations: You can change the type of visualizations used (e.g., bar chart,
pie chart) or customize their appearance to improve clarity.

Create custom workbooks that include KQL:

 Building from scratch: Instead of using templates, you can create custom workbooks entirely
on your own. This allows for complete control over the layout, data sources, and
visualizations.

pg. 28
 SKILLCERTPRO

 Integrating KQL: KQL is a powerful query language used in Sentinel to filter and analyze
security data. You can embed KQL queries within your custom workbooks to:

o Filter specific events: You can narrow down the data displayed in the workbook
based on specific criteria (e.g., device ID, user name, time frame).

o Aggregate data: You can perform calculations on the data (e.g., count occurrences,
calculate averages) to gain insights from trends and patterns.

o Join data from different sources: You can combine data from multiple tables within
Sentinel to create a more comprehensive view of security events.

Configure visualizations:

 Choosing visualization types: Sentinel offers various visualizations, each suitable for
displaying different types of data. Understanding the strengths and weaknesses of each type
(e.g., bar charts for comparisons, pie charts for proportions) allows you to effectively
communicate insights.

 Customizing visualizations: You can further customize the appearance of visualizations by

changing colors, labels, and layouts to improve clarity and readability within your workbook.

 Arranging visualizations: The way you arrange visualizations within the workbook can
significantly impact its effectiveness. Grouping related information and using clear titles can
guide viewers through the story you're trying to tell with the data.

Disclaimer: All data and information provided on this site is for informational
purposes only. This site makes no representations as to accuracy, completeness,
correctness, suitability, or validity of any information on this site & will not be
liable for any errors, omissions, or delays in this information or any losses,
injuries, or damages arising from its display or use. All information is provided on
an as-is basis.

pg. 29