You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity Protection policies enforced.
You create an Azure Sentinel instance and configure the Azure Active Directory connector.
You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection.
What should you do first?
To ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection, the first step is to add a Microsoft Sentinel data connector specifically for Azure AD Identity Protection. This is different from the general Azure Active Directory connector and is essential to integrate the risk alerts into Azure Sentinel. By adding this specific data connector, you enable the ingestion of Azure AD Identity Protection alerts into Azure Sentinel, which then allows for the generation of incidents based on those alerts.
Add a Microsoft Sentinel Data connector is the wrong answer. Meant to mislead. Because question itself mentions that AAD connector was added. Which seem to cover all AAD functionality including Identity Protection feature. What you are asked to do is generate incidents based on the risk alerts. For that you use playbooks in Sentinel. Which automates tasks that SOC engineers need to such as generte risk alerts. So answer is C.
I agree with you AAD Connector Description (from Sentinal Conectors) The Azure Active Directory solution for Microsoft Sentinel enables you to ingest Azure Active Directory Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.
some people pay for this
This is not the same connector. There is AAD connector AND a AAD Identity Protection connector.
reating a Microsoft Sentinel playbook (option C) is not the first step to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection. A playbook in Azure Sentinel is a collection of procedures that can be run from Azure Sentinel in response to an alert. While it’s true that playbooks are an important part of automating responses in Azure Sentinel, they are not the first step in setting up Azure Sentinel to generate incidents based on Azure AD Identity Protection alerts. The first step is to establish a connection between Azure Sentinel and Azure AD Identity Protection, which is done by adding a Microsoft Sentinel data connector.
Wording is kind of weird. The data connector you're adding in Sentinel is called "Azure Active Directory Identity Protection". So yes, you're adding a data connector within Sentinel.
I agree with this answer. There are distinct Azure Active Directory and Azure Active Directory Identity Protection data connectors. https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-active-directory https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection
A. Add a Microsoft Sentinel data connector. - Reason, the connector that has been mentioned in the question is not the correct one for the use case. Logic app is not necessary to create an incident. incidents will show on the Sentinel page as log as the analytical rule is in place. Shitty question and MS is trying to catch us out. - answer A
Creating a Sentinel instance and configuring the Azure AD Connector = configuring the Azure AD connector within Sentinel settings, as detailed here: https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts When configuring the connection, the option for Sentinel to generate incidents based on risk alerts for Azure AD Identity Protection is enabled, so it should already be connected and configured. This is all done before we are asked what is the first thing we should do, and I'm honestly confused as to what they want. I guess playbooks are the next step? So C?
No, wooyourdaddy has the answer below. The question specifically says that the _Azure Active Directory_ connector is installed - this does not have the logs needed for these alerts. The _Azure Active Directory Identity Protection_ connector needs to be installed. There is a more detailed description of this connector here: https://learn.microsoft.com/en-us/azure/sentinel/media/incidents-from-alerts/generate-security-incidents.png "Integrate... Identity Protection alerts with Microsoft Sentinel to... create custom alerts".
The correct answer is D. Modify the Diagnostics settings in Azure AD. According to the Microsoft Entra article on Connect Azure Active Directory data to Microsoft Sentinel1, you need to enable the Diagnostics settings in Azure AD to stream the sign-in logs, audit logs, and provisioning logs to a Log Analytics workspace. This is a prerequisite for connecting the Azure Active Directory data connector to Microsoft Sentinel.
D - is correct. The correct answer is D. Modify the Diagnostics settings in Azure AD. According to the Microsoft Entra article on Connect Azure Active Directory data to Microsoft Sentinel1, you need to enable the Diagnostics settings in Azure AD to stream the sign-in logs, audit logs, and provisioning logs to a Log Analytics workspace. This is a prerequisite for connecting the Azure Active Directory data connector to Microsoft Sentinel. https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based
A is the right answer. There is a separate connector for AAD identity protection.
Clearly states Sentinel Data collector - https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts
*connector
Ahhh, didn't see connector is configured .. my bad, answer is C)
Add a Microsoft Sentinel data connector. You create an Azure Sentinel instance and configure the Azure Active Directory connector. (Microsoft Entra ID connector) You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection We need : Microsoft Entra ID Protection (a different type connector) Microsoft Sentinel | Data connectors | Content hub - Microsoft Entra ID (we suppose is already enabled) - add Microsoft Entra ID Protection Description Note: Please refer to the following before installing the solution: • Review the solution Release Notes The Microsoft Entra ID Protection solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Entra ID Protection for risky users and events in Microsoft Entra ID. Data Connectors: 1, Analytic Rules: 1, Playbooks: 5
https://learn.microsoft.com/en-us/azure/sentinel/overview To on-board Microsoft Sentinel, you first need to connect to your data sources.
To ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection, you should first Create a Microsoft Sentinel Incident Creation Rule1. This rule will allow Azure Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution2. You can easily configure this by navigating to Analytics in Azure Sentinel and choosing Create > Microsoft Incident Creation Rule. Then, select Azure Active Directory Identity Protection as the security service1. So, the correct answer is: C. Create a Microsoft Sentinel playbook.
AAD Identity Connector is a separate Connector, plus it has been changed now and added into the Defender 365 Data Connector
Use playbook to generate incidents in Sentinel
The only way to generate incidents is by playbook
Playbook comes Post Incident ( it job is SOAR and not incident management). I feel A and if you feel Data conenctor are already in place then the Ans Could be D ( that is config the Sign in log or user logs ) configuration part
C. Create a Microsoft Sentinel playbook.
I will go with Answer C, Sentinel Playbook. As the question mentions the AAD connector is created You create an 'Azure Sentinel instance' and configure the 'Azure Active Directory connector'.
playbook is the way to proceed if you want to have incident created https://learn.microsoft.com/en-us/azure/sentinel/overview