Exam MS-500 topic 2 question 33 discussion

The given answer, B, is correct. If you have Microsoft Sentinel (via Azure AD Premium P1 or P2), you should have the Fusion-based rule with all available connectors enabled by default. > Azure Portal > Microsoft Sentinel > Configuration: Analytics > Advanced Multistage Attack Detection (Rule Type: Fusion, Status: Enabled) Source: https://docs.microsoft.com/en-us/azure/sentinel/configure-fusion-rules The scenario given in the question is already able to be detected by this default rule. Source: https://docs.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference#mass-file-deletion-following-suspicious-azure-ad-sign-in If you are wanting to see a history of this type of event taking place in the organization, you only need to create a Microsoft Sentinel Workbook for it. https://docs.microsoft.com/en-us/azure/sentinel/monitor-your-data

MeasureUp prep test states it is a workbook. They are the official Microsoft Test Partner.

The answer is C, Add a playbook. A playbook is a collection of tasks that can be automated to respond to a security incident. In this case, you can create a playbook that will: Investigate the incident by gathering information from Azure AD and Microsoft OneDrive. Notify the appropriate personnel of the incident. Take steps to mitigate the incident, such as blocking the compromised account. By adding a playbook to your active rule, you can ensure that your organization is prepared to respond to multistage attacks in a timely and effective manner. The other options are incorrect. Adding data connectors will not help you to detect multistage attacks. Adding a workbook will allow you to visualize the data that is collected by your active rule, but it will not help you to respond to incidents. Creating a custom rule template is not necessary in this case, as you can use the default settings of the Fusion rule template.

It is C for me.Question is about automation, so playbook

Just says 'detect'. B

They way I understand it after some research is that everything is already enabled. so nothing more has to be done. for example the question starts by telling us that the connectors are already set up. However a workbook makes it easier to monitor and therefore has to be the right answer. Video from Microsoft security showing a demo: https://www.youtube.com/watch?v=2QGN34n6mSo&ab_channel=MicrosoftSecurity

C? PLAYbook is the automation which you create not the WORKbook...

The question did mention it is using a template. I did a lookup it seems all the data sources are added in a rule template so probably no need to add data connector. https://docs.microsoft.com/en-us/azure/sentinel/configure-fusion-rules

A - the answer. Azure AD and Office 365 connectors do not provide OneDrive logs.

B is correct!

Create an automation rule Create a playbook Add actions to a playbook Attach a playbook to an automation rule or an analytics rule to automate threat response https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

You don’t need to have connected all the data sources listed above in order to make Fusion for emerging threats work. However, the more data sources you have connected, the broader the coverage, and the more threats Fusion will find. So A is more correct. The doc doenst mention anything on playbook and workbook (https://docs.microsoft.com/en-us/azure/sentinel/fusion#configure-scheduled-analytics-rules-for-fusion-detections)

I believe A is correct based off this doc. https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

A is correct. The next step in using the Fusion rule template is to create data connections

The link provided points towards creating a workbook, but does not relate to Fusion detections. The answer is most likely A since Fusion detection relies on multiple data sources and we only have Azure AD/Office 365 connected, but nothing from on-prem. https://docs.microsoft.com/en-us/azure/sentinel/fusion#configure-scheduled-analytics-rules-for-fusion-detections

Agree with B.