Exam SC-300 topic 4 question 20 discussion

Add a Microsoft Sentinel Data connector is the wrong answer. Meant to mislead. Because question itself mentions that AAD connector was added. Which seem to cover all AAD functionality including Identity Protection feature. What you are asked to do is generate incidents based on the risk alerts. For that you use playbooks in Sentinel. Which automates tasks that SOC engineers need to such as generte risk alerts. So answer is C.

Wording is kind of weird. The data connector you're adding in Sentinel is called "Azure Active Directory Identity Protection". So yes, you're adding a data connector within Sentinel.

Answer: A. See following (read it all) Enable the Azure AD Identity Protection Connector in Sentinel This is a separate connector from the general Azure Active Directory connector. It specifically ingests risk detections, risky users, and user risk events from Identity Protection. You can find it in Sentinel under Content Hub or Data connectors as "Azure AD Identity Protection". If the Azure AD Identity Protection connector is not yet added, then the first step is: A. Add a Microsoft Sentinel data connector (specifically, the Azure AD Identity Protection connector). If the connector is already added, then the next step is: D. Modify the Diagnostics settings in Azure AD to ensure the logs are flowing.

Answer A) Add a Microsoft Sentinel Data Connector You need to add a different connector (Microsoft Entra ID Protection connector) than the one that was listed. https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources?tabs=azure-portal#:~:text=After%20you%20onboard%20Microsoft%20Sentinel%20into%20your%20workspace%2C%20use%20data%20connectors%20to%20start%20ingesting%20your%20data%20into%20Microsoft%20Sentinel. https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-entra-id-protection

Playbooks automate responses but don't help Sentinel ingest logs. We need logs first. Playbook comes post incident. So assuming that we already have configured connectors- it has to be D

I think A. First at this date the connectors in question would be "Entra ID" and "Entra ID Protection". Two separate connectors. The question is likely obsolete. However if i see it wit hthe wording of "Entra ID", i will answer A. If I see it with the wording of "Entra ID Protection" then I will go for D. https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-entra-id https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-entra-id-protection Think the order would be 1. the correct connector 2. diagnostic setting to forward the right logs to sentinel 3. playbook dont think B is used with regards to Sentinel, although maybe it somehow can, but this is more likely for notifying your admins for those not using Senitnel / NOC

Here's what happens when you modify the Diagnostics settings: Enable Log Streaming: You configure Azure AD to send its logs to your Log Analytics workspace. Select Specific Logs: You choose which logs to send—like sign-in logs and risk detections. Continuous Monitoring: Azure Sentinel now continuously pulls in this data, allowing it to detect threats and create incidents.

=> C - Create a MS Sentinel Playbook Azure Ad connector was already configured so next would be to create a playbook imo.

The correct option is: **A. Add a Microsoft Sentinel data connector.** Explanation: - In order for **Azure Sentinel** (now Microsoft Sentinel) to generate incidents based on the risk alerts from **Azure AD Identity Protection**, you first need to ensure that the data from Azure AD Identity Protection flows into Sentinel. - Adding a **Microsoft Sentinel data connector** for **Azure Active Directory Identity Protection** enables Sentinel to collect and analyze the risk alerts and other security data, so incidents can be created based on that data.

Clearly states Sentinel Data collector - https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts

Add a Microsoft Sentinel data connector. You create an Azure Sentinel instance and configure the Azure Active Directory connector. (Microsoft Entra ID connector) You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection We need : Microsoft Entra ID Protection (a different type connector) Microsoft Sentinel | Data connectors | Content hub - Microsoft Entra ID (we suppose is already enabled) - add Microsoft Entra ID Protection Description Note: Please refer to the following before installing the solution: • Review the solution Release Notes The Microsoft Entra ID Protection solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Entra ID Protection for risky users and events in Microsoft Entra ID. Data Connectors: 1, Analytic Rules: 1, Playbooks: 5

https://learn.microsoft.com/en-us/azure/sentinel/overview To on-board Microsoft Sentinel, you first need to connect to your data sources.

D - is correct. The correct answer is D. Modify the Diagnostics settings in Azure AD. According to the Microsoft Entra article on Connect Azure Active Directory data to Microsoft Sentinel1, you need to enable the Diagnostics settings in Azure AD to stream the sign-in logs, audit logs, and provisioning logs to a Log Analytics workspace. This is a prerequisite for connecting the Azure Active Directory data connector to Microsoft Sentinel. https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based

To ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection, you should first Create a Microsoft Sentinel Incident Creation Rule1. This rule will allow Azure Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution2. You can easily configure this by navigating to Analytics in Azure Sentinel and choosing Create > Microsoft Incident Creation Rule. Then, select Azure Active Directory Identity Protection as the security service1. So, the correct answer is: C. Create a Microsoft Sentinel playbook.

AAD Identity Connector is a separate Connector, plus it has been changed now and added into the Defender 365 Data Connector

The correct answer is D. Modify the Diagnostics settings in Azure AD. According to the Microsoft Entra article on Connect Azure Active Directory data to Microsoft Sentinel1, you need to enable the Diagnostics settings in Azure AD to stream the sign-in logs, audit logs, and provisioning logs to a Log Analytics workspace. This is a prerequisite for connecting the Azure Active Directory data connector to Microsoft Sentinel.

Use playbook to generate incidents in Sentinel