ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam
Go to Exam

Exam MS-500 topic 2 question 26 discussion

Actual exam question from Microsoft's MS-500
Question #: 26
Topic #: 2
[All MS-500 Questions]

You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) connector and a Microsoft Office 365 connector.
You need to assign built-in role-based access control (RBAC) roles to achieve the following tasks:
✑ Create and run playbooks.
✑ Manage incidents.
The solution must use the principle of least privilege.
Which two roles should you assign? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Automation Operator
  • B. Azure Sentinel responder
  • C. Automation Runbook Operator
  • D. Azure Sentinel contributor
  • E. Logic App contributor
Show Suggested Answer Hide Answer
Suggested Answer: DE 🗳️
by NickDouglas at Sept. 5, 2020, 11:05 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
xyzzy
Highly Voted 4 years, 10 months ago
Azure Sentinel Contributor + Logic App Contributor is correct
upvoted 21 times
TDAC
4 years, 10 months ago
I agree. Azure Sentinel Contributor is correct to respond and manage incidents. A Logic App can be used to trigger a runbook. Therefore the role of Logic App Contributor is correct. Automation runbook operator CANNOT create runbooks. To Logic App Contributor is the logical answer.
upvoted 1 times
...
dakasa
2 years, 11 months ago
In the question there is no two different users with different roles, it is for use user you need to assign two roles to be able to create and run playbooks (see the table) https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions
upvoted 1 times
...
JaBe
4 years, 8 months ago
but according to table https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions Azure Sentinel Responder is enough to manage incidents. Contributor would be too much in regards to least privilege. I agree with the Local App contributor
upvoted 12 times
FumerLaMoquette
4 years, 8 months ago
I agree. Azure sentinel responder Logic app contributor
upvoted 10 times
MrGarak1
4 years, 8 months ago
RESPONDER can`t create and run playbooks only CONTRIBUTOR and that is what is asked in the question. https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions
upvoted 5 times
MrGarak1
4 years, 8 months ago
so the answer is correct.
upvoted 1 times
...
Load full discussion...
...
...
...
EM1234
2 years, 5 months ago
Not that someone who wrote this 2 years ago would ever come back to read this but I will say it anyway. I thought it DE but it is BE. The requirements from the question are: ✑ Create and run playbooks. ✑ Manage incidents. According to the link everyone keeps adding: https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-and-allowed-actions "Logic App Contributor role to create and edit playbooks." So that takes care of requirement 1 Then we see further up on the page (I linked above) "Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.)." So that takes care of requirement 2 with fewer privileges than Sentinel Contributor. So, IMO, it doesn't really matter that "Microsoft Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources." Also, I want to point out workbooks are not playbooks, for those of you that may be confused on that.
upvoted 3 times
GatesBill
2 years, 3 months ago
To further confirm BE is correct, here is the reference to it: https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-permissions-and-allowed-actions
upvoted 3 times
GatesBill
2 years, 3 months ago
In addition: Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences. Workbooks can be found under log analytics workspace resource or Azure Sentinel itself. It is like a custom dashboard which lets a user create graphs and other visuals using Kusto query language. Playbooks are related to Azure Sentinel. They are basically Logic Apps with a trigger that activates the Log App/Playbook when an Azure Sentinel query rule is matched. Reference: https://www.bettercoder.io/job-interview-questions/2192/what-is-a-difference-between-a-playbook-and-a-workbook-in-azure
upvoted 2 times
...
...
...
...
naren49
Highly Voted 4 years, 6 months ago
the given answer D & E are correct Azure Sentinel Contributor Create and edit workbooks, analytic rules, and other Azure Sentinel resources Manage incidents (dismiss, assign, etc.) view data, incidents, workbooks, and other Azure Sentinel resources Logic App Contributor Create and run playbooks
upvoted 9 times
kiketxu
4 years, 4 months ago
Pretty clear! https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions
upvoted 9 times
Fala_Fel
4 years ago
Yes, section "Azure Sentinel roles and allowed actions" clearly shows answer is correct. D. Azure Sentinel contributor E. Logic App contributor
upvoted 2 times
Anonymousse
2 years, 9 months ago
Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).
upvoted 1 times
...
...
...
...
subhuman
Most Recent 2 years, 1 month ago
The highlighted answers are wrong. correct answer is B & E Azure sentinel contributor does not satisfy the requirement in the question " Least privilege "
upvoted 1 times
...
Maxx4
2 years, 1 month ago
Selected Answer: AC
To achieve the tasks of creating and running playbooks, as well as managing incidents in Azure Sentinel while following the principle of least privilege, you should assign the following built-in RBAC roles: A. Automation Operator C. Automation Runbook Operator The Automation Operator role provides the necessary permissions to create and run playbooks in Azure Sentinel. This role allows users to design and execute automation logic using playbooks without granting excessive privileges. The Automation Runbook Operator role specifically grants permissions to run automation runbooks. While playbooks in Azure Sentinel are implemented using Logic Apps, the Automation Runbook Operator role is designed for Azure Automation and can be used to execute runbooks associated with playbooks. Assigning only the Automation Operator and Automation Runbook Operator roles ensures that users have the necessary permissions to create and run playbooks while minimizing their access to other sensitive Azure Sentinel resources.
upvoted 1 times
Maxx4
2 years, 1 month ago
The other role options are not directly related to the specified tasks: B. Azure Sentinel responder: This role is focused on responding to incidents and investigating security alerts but does not provide the necessary permissions for creating and running playbooks. D. Azure Sentinel contributor: This role provides broader access to Azure Sentinel resources, including managing incidents and playbooks. However, assigning this role would exceed the principle of least privilege as it grants more permissions than required. E. Logic App contributor: This role provides permissions specifically for managing Logic Apps, but it does not include the necessary permissions for creating and running playbooks in Azure Sentinel. Therefore, the correct roles to assign are Automation Operator (option A) and Automation Runbook Operator (option C).
upvoted 1 times
...
...
tjitsen
2 years, 1 month ago
Selected Answer: BE
B E Azure Sentinel Responder: manage incidents Logic App Contributor: create and run playbooks Azure Sentinel Contributor is correct too but because of principle of least privilege, this is incorrect. Reference: https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-permissions-and-allowed-actions
upvoted 1 times
...
Luc043
2 years, 3 months ago
Selected Answer: BE
Correction
upvoted 1 times
...
V1nc3n7
2 years, 3 months ago
Selected Answer: BE
BE responder can manage incidents
upvoted 1 times
...
shouro88
2 years, 6 months ago
Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources. Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.). Option B You can use the Microsoft Sentinel Playbook Operator role to assign explicit, limited permission for running playbooks, and the Logic App Contributor role to create and edit playbooks. Option E
upvoted 1 times
...
fjfg
2 years, 6 months ago
Selected Answer: BE
Considering Least Privilege, the roles should be B (Microsoft Sentinel Responder) to Manage Incidents and E (Logic App Contributor) to create and run playbooks. https://learn.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions
upvoted 1 times
...
Bob27745
2 years, 10 months ago
Valid on exam as of 9/21/2022
upvoted 4 times
...
Whatsamattr81
3 years, 1 month ago
Badly worded… Microsoft Sentinel Contributor role lets you attach a playbook to an analytics rule. Microsoft Sentinel Responder role lets you run an already attached playbook. Logic App contributor is a given, but there’s not enough info in this question - you can’t make assumptions. However, LAC role can create as many playbooks as they want, unless they are MSC they can’t attach any… I’d go DE to be safe but BE does fall within the parameters of the question.
upvoted 3 times
...
arska
3 years, 4 months ago
Selected Answer: DE
See naren49 and the table here: https://docs.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-and-allowed-actions
upvoted 2 times
...
mbecile
3 years, 6 months ago
Selected Answer: DE
You need to have BOTH Azure Sentinel Contributor and Logic App Contributor in order to fulfill the requirement of being able to "Create and Run Playbooks" See Microsoft's chart specifically showing this, here: https://docs.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-and-allowed-actions
upvoted 2 times
...
mkoprivnj
3 years, 8 months ago
Selected Answer: DE
D & E are correct!
upvoted 2 times
...
mkoprivnj
3 years, 8 months ago
Azure Sentinel Contributor + Logic App Contributor is correct
upvoted 2 times
...
AlexanderSaad
3 years, 8 months ago
You can use the Logic App Contributor role to assign explicit permission for using playbooks. Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.) https://docs.microsoft.com/en-us/azure/sentinel/roles#roles-and-allowed-actions
upvoted 1 times
...
Fearless90
3 years, 8 months ago
D. Azure Sentinel contributor E. Logic App contributor https://docs.microsoft.com/en-us/azure/sentinel/roles Refer to the table Microsoft Sentinel Contributor + Logic App Contributor Create and run playbooks Manage incidents (dismiss, assign, etc.) Microsoft Sentinel roles and allowed actions The following table summarizes the Microsoft Sentinel roles and their allowed actions in Microsoft Sentinel.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel