ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 5 question 2 discussion

Actual exam question from Microsoft's SC-100
Question #: 2
Topic #: 6
[All SC-100 Questions]

HOTSPOT -
You need to recommend a SIEM and SOAR strategy that meets the hybrid requirements, the Microsoft Sentinel requirements, and the regulatory compliance requirements.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Azure tenant -
Microsoft Sentinel multiple workspace architecture
There are cases where a single SOC (Security Operations Center) needs to centrally manage and monitor multiple Microsoft Sentinel workspaces, potentially across Azure Active Directory (Azure AD) tenants.
An MSSP Microsoft Sentinel Service.
A global SOC serving multiple subsidiaries, each having its own local SOC.
A SOC monitoring multiple Azure AD tenants within an organization.
To address these cases, Microsoft Sentinel offers multiple-workspace capabilities that enable central monitoring, configuration, and management, providing a single pane of glass across everything covered by the SOC. This diagram shows an example architecture for such use cases.

This model offers significant advantages over a fully centralized model in which all data is copied to a single workspace.
Scenario:
Requirements. Microsoft Sentinel Requirements
Litware plans to leverage the security information and event management (SIEM) and security orchestration automated response (SOAR) capabilities of Microsoft
Sentinel. The company wants to centralize Security Operations Center (SOC) by using Microsoft Sentinel.

Hybrid Requirements -
Litware identifies the following hybrid cloud requirements:
Provide centralized, cross-tenant subscription management without the overhead of maintaining guest accounts.
Box 2: Azure Lighthouse subscription onboarding process
You can use Azure Lighthouse to extend all cross-workspace activities across tenant boundaries, allowing users in your managing tenant to work on Microsoft
Sentinel workspaces across all tenants.
Azure Lighthouse enables you to see and manage Azure resources from different tenancies, in the one place, with the power of delegated administration. That tenancy may be a customer (for example, if you're a managed services provider with a support contract arrangement in place), or a separate Azure environment for legal or financial reasons (like franchisee groups or Enterprises with large brand groups).
Incorrect:
* not Azure AD B2B
Azure AD B2B uses guest account, which goes against the requirements in this scenario,
Note: Azure Active Directory (Azure AD) B2B collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants https://docs.microsoft.com/en-us/azure/sentinel/best-practices-workspace-architecture https://techcommunity.microsoft.com/t5/itops-talk-blog/onboarding-to-azure-lighthouse-using-a-template/ba-p/1091786 https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b
by PlumpyTumbler at Sept. 2, 2022, 6:11 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PlumpyTumbler
Highly Voted 1 year, 9 months ago
Segment Microsoft Sentinel workspaces by: Region and Azure AD tenant Do that because the case study states "...mergers and acquisitions. The acquisitions include several companies based in France." Relevant information from Microsoft is on this Best Practices page for workspace architecture: https://docs.microsoft.com/en-us/azure/sentinel/best-practices-workspace-architecture#region-considerations Lighthouse is correct for Box2
upvoted 48 times
D3D1997
1 year, 4 months ago
Agree but more because of "Ensure data residency" in the regulatory requirements
upvoted 8 times
...
Granwizzard
1 year, 8 months ago
You can only assign a log analytics workspace to the sentinel. If you want to use several workspaces you need to use cross queries. So for me, the answer is correct.
upvoted 4 times
WMG
1 year, 6 months ago
Not sure which industry you work in, but regulatory and compliance requirements always trumps the technical issues and complexities.
upvoted 11 times
...
...
...
TJ001
Highly Voted 1 year, 5 months ago
data localization and multiple Azure AD tenant, so I will go with Region and Azure AD tenant
upvoted 10 times
...
slobav
Most Recent 8 months, 2 weeks ago
Box1:Azure AD tenant Box2:Azure Lighthouse Explanation: https://www.youtube.com/watch?v=YJqZjdzC9xE&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=7 SC-100 Question 92
upvoted 1 times
...
zellck
1 year ago
1. Region and Azure AD tenant 2. Azure Lighthouse https://learn.microsoft.com/en-us/azure/sentinel/best-practices-workspace-architecture#working-with-multiple-tenants If you have multiple tenants, such as if you're a managed security service provider (MSSP), we recommend that you create at least one workspace for each Azure AD tenant to support built-in, service to service data connectors that work only within their own Azure AD tenant. https://learn.microsoft.com/en-us/azure/sentinel/best-practices-workspace-architecture#region-considerations Use separate Microsoft Sentinel instances for each region. While Microsoft Sentinel can be used in multiple regions, you may have requirements to separate data by team, region, or site, or regulations and controls that make multi-region models impossible or more complex than needed. Using separate instances and workspaces for each region helps to avoid bandwidth / egress costs for moving data across regions.
upvoted 7 times
zellck
1 year ago
https://learn.microsoft.com/en-us/azure/lighthouse/how-to/manage-sentinel-workspaces Microsoft Sentinel delivers security analytics and threat intelligence, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. With Azure Lighthouse, you can manage multiple Microsoft Sentinel workspaces across tenants at scale. This enables scenarios such as running queries across multiple workspaces, or creating workbooks to visualize and monitor data from your connected data sources to gain insights. IP such as queries and playbooks remain in your managing tenant, but can be used to perform security management in the customer tenants.
upvoted 1 times
...
...
Gurulee
1 year, 2 months ago
you have multiple tenants, such as if you're a managed security service provider (MSSP), we recommend that you create at least one workspace for each Azure AD tenant to support built-in, service to service data connectors that work only within their own Azure AD tenant. All connectors based on diagnostics settings cannot be connected to a workspace that is not located in the same tenant where the resource resides. This applies to connectors such as Azure Firewall, Azure Storage, Azure Activity or Azure Active Directory. Use Azure Lighthouse to help manage multiple Microsoft Sentinel instances in different tenants.
upvoted 1 times
...
purek77
1 year, 4 months ago
Box 2: Azure Lighthouse includes multiple ways to help streamline engagement and management e.g. delegated resource management - manage your customers' Azure resources securely from within your own tenant, without having to switch context and control planes. Customer subscriptions and resource groups can be delegated to specified users and roles in the managing tenant, with the ability to remove access as needed. Ref: https://learn.microsoft.com/en-us/azure/lighthouse/overview
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel