[THM Walkthrough] MS Sentinel: Introduction
This is a full walkthrough with answers and explanations for the TryHackMe room "MS Sentinel Introduction".
Link to the room: https://tryhackme.com/room/sentinelintroduction.
[Task 1] Microsoft Security Operations Analyst
What security unit is responsible for protecting the organization against security threats?
1
Security Operations Center
“A
Security Operations Center(SOC) is a centralized security unit with team(s) responsible for protecting the organization against security threats.”
Generally, which level of SOC Analyst is responsible for responding to incidents?
1
SOC Level 2 Analyst
Incident response is a responsibilitie of
SOC Level 2 Analystbased on the table in Task 1.
Besides monitoring, what else do SOC Level 1 Analysts spend the majority of their time with?
1
triage
Monitoring and
triageare responsibilities of SOC Level 1 Analyst based on the table in Task 1.
[Task 2] Introduction to Microsoft Sentinel
Microsoft Sentinel is a combination of two security concepts, namely SIEM and which other one?
1
SOAR
Microsoft Sentinel is a scalable, cloud-native solution that provides the functionality of Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (
SOAR).
Creating security alerts and incidents is part of which security concept?
1
SIEM
SIEMfunctionalities are
- Collecting and querying logs,
- Doing correlation or anomaly detection
- Creating alerts and incidents based on findings
By means of how many pillars does Microsoft Sentinel help us to perform security operations?
1
4
Microsoft Sentinel performs the above actions and enables security operations by means of 4 main pillars:
- Collect
- Detect
- Investigate
- Respond
[Task 3] How Microsoft Sentinel Works
What is used to ingest data into Sentinel?
1
data connectors
The first step is to ingest data into Microsoft Sentinel. This is exactly what
data connectorsare for.
Where are the ingested logs stored for further correlation and analysis?
1
log analytics workspaces
Once the data has been ingested into Microsoft Sentinel, it must be stored for further correlation and analysis. This log storage mechanism is called
Log Analytics workspaces.
Workbooks are essentially ___ used for visualization.
1
dashboards
Workbooks are essentially
dashboardsin Microsoft Sentinel used to visualize data.
When SOC teams are flooded with security alerts and incidents, this is called?
1
alert fatigue
Alert fatigueoccurs occurs when cyber security professionals are inundated with a high volume of security alerts, which leads to a diminished ability for SOC teams to react effectively to and investigate real threats.
In Microsoft Sentinel, automation is done via automated workflows, known as?
1
playbooks
To overcome alert fatigue, automation in security operations is a must. This is done by automated workflows, also known as
playbooks, in response to events.
The output of running Analytics rules includes security alerts and?
1
Incidents
The output of running Analytics rules are security alerts and
incidents.
[Task 4] When To Use Microsoft Sentinel
Organizations use Microsoft Sentinel mainly because they need to ___ their cloud infrastructure.
1
monitor
Organizations use Microsoft Sentinel when there is a necessity to
monitorcloud and on-premises infrastructures for security.
With Microsoft Sentinel, there is no need for server provisioning. This means it is?
1
cloud-native
Cloud-nativeSIEM - No need for server provisioning, facilitating seamless scalability