Exam SC-200 topic 3 question 25 discussion

Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

The correct answer should be A&B. B because you have to connect the "Azure Storage Account" and make sure the diagnostic settings are set to send activities about the key enumerations to Sentinel workspace. I see people in discussion debates ignore the importance of checking the data connector and jump into the discussion about whether the solution should be X or Y. Please check the data connector if the question doesn't say or indicate it is set correctly. Then whether it is Hunting query or Livestream. Near real-time is the keyword here and the answer reveales a reference link to Livestream, not to hunting. With Livestream, any matching results will generate "Azure Alerts" which are shown at the Notification bell. So the correct answer is A not D.

To receive an alert in near real-time whenever Azure Storage account keys are enumerated in Azure Sentinel, you should take the following two actions: B. Add a data connector Adding a data connector will ensure that Azure Sentinel has access to the necessary log data from Azure Storage to detect key enumeration activities. C. Create an analytics rule Creating an analytics rule will allow you to define the specific conditions that trigger an alert when Azure Storage account keys are enumerated. This ensures you receive alerts in near real-time based on the defined rule.

It can be either BC if the question is referring to NRT rules, which are different from normal analytics, or AD if we consider that the live session can be elevated to alert.

Daddy will explain. In Azure Sentinel, both analytics rules and hunting queries are used to detect and investigate security threats, but they serve different purposes and are used in different ways: Automated Detection: 1: Analytics rules are automated and run on a schedule or triggered by specific events. These rules are typically set to run at regular intervals, continuously monitoring for threats. 2: Hunting queries are run manually by security analysts to proactively search for threats. In Azure Sentinel, hunting queries can be used with livestream. In summary, analytics rules are automated and scheduled to detect known threats, while hunting queries are manual and exploratory, used to uncover new and emerging threats.

Important point in the question is that you need to receive an alert If you pick "Create a hunting query" and "Create a livestream", you will only receive a notification in the Azure portal if events match that query, not an alert. You could elevate a livestream to an alert but that goes in the territory of "Create an analytics rule" Livestream: https://learn.microsoft.com/en-us/azure/sentinel/livestream The correct answer is "Add a data connector" and "Create an analytics rule" - You need the "Azure Storage account" data connector which enables you to continuously monitor activity in all your Azure storage instances, and detect malicious activity in your organization - You need to create a NRT analytics rule

Creating a Livestream or a hunting query will provide a retrospective / current view, to track events that will occur at a indeterminate time in the future you'll need a NRT analytics rule (C), additionally you'll need to ensure the data for C is being imported as it won't be by default so you enable the relevant Data Connector (B). Therefore the answer for least administrative effort is BC

Add a Data Connector (B): Before you can create any alerting or monitoring logic in Azure Sentinel, you need to ensure that the relevant data is being ingested into Sentinel. In this case, you need to add the Azure Activity data connector to ingest logs related to Azure Storage account key enumerations. This will allow Sentinel to receive and process the events that indicate storage account key enumerations. Create an Analytics Rule (C): After the data is being ingested into Sentinel, you need to create an Analytics Rule to generate alerts based on specific activities. In this case, you would create an analytics rule that triggers an alert whenever an event related to Azure Storage account key enumeration is detected. The analytics rule will specify the condition (e.g., a particular operation name in the logs) that matches the enumeration of storage account keys and then trigger an alert.

due to the google answer is B & C A. Create a livestream (Incorrect): Livestreams are used for continuous data ingestion from specific sources, but they don't define alert logic. B. Add a data connector (Correct): You likely already have the Azure Activity data connector enabled in Azure Sentinel to collect data from Azure resources. If not, this is the first step. C. Create an analytics rule (Correct): This is where you define the logic to identify key enumeration. The rule will analyze Azure Activity logs and trigger an alert when it detects the specific operation (e.g., "List Storage Account Keys"). D. Create a hunting query (Incorrect): Hunting queries are used for ad-hoc investigations, not real-time alerting. E. Create a bookmark (Incorrect): Bookmarks are used to save specific queries or visualizations, not for defining alerts.

For those Answering AD: https://learn.microsoft.com/en-us/azure/sentinel/livestream "Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary." This seems like overkill to me? BC I think is the better, simpler solution. B. Add a data connector to ingest the Azure activity logs for the Storage account. C. Add a Near Real Time (NRT) analytics rule to alert on this activity.

B. Add a data connector: This is necessary to connect Azure Sentinel to your Azure Storage account data. The data connector will allow Azure Sentinel to ingest the log data from the storage account. C. Create an analytics rule: This will allow you to define the specific conditions (in this case, enumeration of storage account keys) that will trigger an alert. You can set the rule to run at frequent intervals for near real-time alerting.

I create a NRT(Near real time) Analytic Rule

Detect threats quickly with near-real-time (NRT) analytics rules in Microsoft Sentinel

Check this out - https://learn.microsoft.com/en-us/azure/sentinel/livestream#create-a-livestream-session

B and D https://charbelnemnom.com/monitor-azure-storage-account-activity-log-with-azure-sentinel/#Create_a_hunting_query

You can create a livestream session from an existing hunting query

https://learn.microsoft.com/en-us/azure/sentinel/livestream