Exam SC-300 topic 4 question 20 discussion

Add a Microsoft Sentinel Data connector is the wrong answer. Meant to mislead. Because question itself mentions that AAD connector was added. Which seem to cover all AAD functionality including Identity Protection feature. What you are asked to do is generate incidents based on the risk alerts. For that you use playbooks in Sentinel. Which automates tasks that SOC engineers need to such as generte risk alerts. So answer is C.

Wording is kind of weird. The data connector you're adding in Sentinel is called "Azure Active Directory Identity Protection". So yes, you're adding a data connector within Sentinel.

I think A. First at this date the connectors in question would be "Entra ID" and "Entra ID Protection". Two separate connectors. The question is likely obsolete. However if i see it wit hthe wording of "Entra ID", i will answer A. If I see it with the wording of "Entra ID Protection" then I will go for D. https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-entra-id https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-entra-id-protection Think the order would be 1. the correct connector 2. diagnostic setting to forward the right logs to sentinel 3. playbook dont think B is used with regards to Sentinel, although maybe it somehow can, but this is more likely for notifying your admins for those not using Senitnel / NOC

Here's what happens when you modify the Diagnostics settings: Enable Log Streaming: You configure Azure AD to send its logs to your Log Analytics workspace. Select Specific Logs: You choose which logs to send—like sign-in logs and risk detections. Continuous Monitoring: Azure Sentinel now continuously pulls in this data, allowing it to detect threats and create incidents.

=> C - Create a MS Sentinel Playbook Azure Ad connector was already configured so next would be to create a playbook imo.

The correct option is: **A. Add a Microsoft Sentinel data connector.** Explanation: - In order for **Azure Sentinel** (now Microsoft Sentinel) to generate incidents based on the risk alerts from **Azure AD Identity Protection**, you first need to ensure that the data from Azure AD Identity Protection flows into Sentinel. - Adding a **Microsoft Sentinel data connector** for **Azure Active Directory Identity Protection** enables Sentinel to collect and analyze the risk alerts and other security data, so incidents can be created based on that data.

Clearly states Sentinel Data collector - https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts

Add a Microsoft Sentinel data connector. You create an Azure Sentinel instance and configure the Azure Active Directory connector. (Microsoft Entra ID connector) You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection We need : Microsoft Entra ID Protection (a different type connector) Microsoft Sentinel | Data connectors | Content hub - Microsoft Entra ID (we suppose is already enabled) - add Microsoft Entra ID Protection Description Note: Please refer to the following before installing the solution: • Review the solution Release Notes The Microsoft Entra ID Protection solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Entra ID Protection for risky users and events in Microsoft Entra ID. Data Connectors: 1, Analytic Rules: 1, Playbooks: 5

https://learn.microsoft.com/en-us/azure/sentinel/overview To on-board Microsoft Sentinel, you first need to connect to your data sources.

D - is correct. The correct answer is D. Modify the Diagnostics settings in Azure AD. According to the Microsoft Entra article on Connect Azure Active Directory data to Microsoft Sentinel1, you need to enable the Diagnostics settings in Azure AD to stream the sign-in logs, audit logs, and provisioning logs to a Log Analytics workspace. This is a prerequisite for connecting the Azure Active Directory data connector to Microsoft Sentinel. https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based

To ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD Identity Protection, you should first Create a Microsoft Sentinel Incident Creation Rule1. This rule will allow Azure Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution2. You can easily configure this by navigating to Analytics in Azure Sentinel and choosing Create > Microsoft Incident Creation Rule. Then, select Azure Active Directory Identity Protection as the security service1. So, the correct answer is: C. Create a Microsoft Sentinel playbook.

AAD Identity Connector is a separate Connector, plus it has been changed now and added into the Defender 365 Data Connector

The correct answer is D. Modify the Diagnostics settings in Azure AD. According to the Microsoft Entra article on Connect Azure Active Directory data to Microsoft Sentinel1, you need to enable the Diagnostics settings in Azure AD to stream the sign-in logs, audit logs, and provisioning logs to a Log Analytics workspace. This is a prerequisite for connecting the Azure Active Directory data connector to Microsoft Sentinel.

Use playbook to generate incidents in Sentinel

The only way to generate incidents is by playbook

Playbook comes Post Incident ( it job is SOAR and not incident management). I feel A and if you feel Data conenctor are already in place then the Ans Could be D ( that is config the Sign in log or user logs ) configuration part

C. Create a Microsoft Sentinel playbook.