SC-200 Manage a security operations environment • Complete Question Bank
Complete SC-200 Manage a security operations environment question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
```json
{
"properties": {
"displayName": "High Severity Incident Response",
"order": 1,
"triggers": [
{
"properties": {
"condition": "incident.severity == 'High'"
},
"triggerType": "IncidentCreated"
}
],
"actions": [
{
"order": 1,
"actionType": "RunPlaybook",
"properties": {
"logicAppResourceId": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Logic/workflows/playbook-high"
}
}
]
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(24h) | where AlertSeverity == "High" | where AlertName contains "malware" | summarize Count = count() by AlertName, AlertSeverity | order by Count desc ```
Refer to the exhibit. ```powershell Connect-AzAccount $workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName "rg-sentinel" -Name "la-sentinel-prod" Set-AzSentinelSetting -Workspace $workspace -SettingName "Anomalies" -Enabled $true ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Safely delete custom analytics rule",
"description": "Deletes a custom analytics rule after verification",
"trigger": {
"type": "IncidentCreation",
"entityType": "Incident",
"incidentType": "Alert"
},
"actions": [
{
"actionType": "RunPlaybook",
"playbookName": "Delete-AnalyticsRule",
"logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/Delete-AnalyticsRule"
}
]
}
}
```Refer to the exhibit. ```kql SigninLogs | where TimeGenerated > ago(24h) | where ResultType == "0" | where AppDisplayName == "Office 365 Exchange Online" | summarize LoginCount = count() by UserPrincipalName, IPAddress | where LoginCount > 10 | project UserPrincipalName, IPAddress, LoginCount ```
Refer to the exhibit. ```powershell Set-AzVMDiagnosticsExtension -ResourceGroupName "RG1" -VMName "VM1" -DiagnosticsConfigurationPath "C:\Diagnostics\diagnostics.json" ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malicious IP Login Detection",
"description": "Detects logins from known malicious IPs",
"severity": "Medium",
"enabled": true,
"query": "SigninLogs | where IPAddress in (dynamic(['10.0.0.1', '192.168.1.1'])) | project TimeGenerated, UserPrincipalName, IPAddress",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": ["InitialAccess"],
"techniques": ["T1078"],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": null
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
}
}
}
```Refer to the exhibit. ```kusto // KQL query in Microsoft Sentinel let threshold = 10; DeviceProcessEvents | where Timestamp > ago(1h) | summarize ProcessCount = count() by DeviceName, InitiatingProcessFileName | where ProcessCount > threshold | join kind=inner (DeviceNetworkEvents | where Timestamp > ago(1h) | summarize NetworkCount = count() by DeviceName, RemoteIP | where NetworkCount > threshold ) on DeviceName | project DeviceName, InitiatingProcessFileName, RemoteIP, ProcessCount, NetworkCount ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Brute Force Detection",
"enabled": true,
"query": "SigninLogs | where ResultType == '50057' | summarize FailedAttempts = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 5m) | where FailedAttempts > 5",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT30M",
"matchingMethod": "AllEntities",
"groupByEntities": ["Account", "IP"]
}
}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malware detected on endpoint",
"severity": "Medium",
"queryPeriod": "PT5M",
"queryFrequency": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"query": "DeviceEvents | where ActionType == \"AntivirusDetection\" | where Timestamp > ago(5m)"
}
}
```Refer to the exhibit. ```powershell PS C:\> Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled AMProductVersion AMServiceEnabled AntivirusEnabled RealTimeProtectionEnabled --------------- ----------------- ---------------- ----------------------- 4.18.2304.9 True True False ```
Refer to the exhibit. ```kusto SecurityIncident | where Status == "Active" and Severity == "High" | where CreatedTime > ago(7d) | summarize Count = count() by Owner | top 5 by Count desc ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Ransomware Detection",
"description": "Detects ransomware patterns",
"severity": "High",
"enabled": true,
"query": "SecurityAlert | where AlertName contains \"Ransomware\"",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"entitiesMatchingMethod": "All"
}
}
}
}
```Refer to the exhibit.
```powershell
$params = @{
ActivityFunction = "Run"
ActionType = "RunAntiMalwareScan"
MachineId = "machine123"
Comment = "Scheduled scan"
}
Invoke-MDEDeviceAction @params
```Refer to the exhibit. ```kql SecurityIncident | where TimeGenerated > ago(7d) | where Severity == "High" | summarize Count = count() by Owner | top 5 by Count ```
Refer to the exhibit.
```json
{
"type": "Microsoft.Security/automations",
"apiVersion": "2019-01-01-preview",
"name": "BlockMaliciousIP",
"properties": {
"description": "Block malicious IP in firewall",
"isEnabled": true,
"actions": [
{
"type": "LogicApp",
"order": 1,
"logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/BlockIP",
"actionParameters": {
"@odata.type": "#Microsoft.Azure.Security.AlertSimulator.LogicAppActionParameters"
}
}
],
"scopes": [
"/subscriptions/..."
],
"sources": [
{
"eventSource": "Alerts"
}
]
}
}
```Refer to the exhibit. ```kusto SecurityEvent | where EventID == 4625 | where Account !startswith "ANONYMOUS LOGON" | summarize FailedLogins = count() by Account, IPAddress, bin(TimeGenerated, 5m) | where FailedLogins > 10 ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block malicious IPs",
"policyType": "Custom",
"mode": "All",
"description": "This policy denies deployment if the source IP is in a predefined list.",
"metadata": {
"version": "1.0.0",
"category": "Network"
},
"parameters": {
"listOfBlockedIPs": {
"type": "Array",
"metadata": {
"displayName": "Blocked IPs",
"description": "List of IPs to block"
}
}
},
"policyRule": {
"if": {
"field": "sourceIP",
"in": "[parameters('listOfBlockedIPs')]"
},
"then": {
"effect": "deny"
}
}
}
}{
"properties": {
"displayName": "Test Automation Rule",
"order": 1,
"triggers": [
{
"type": "IncidentCreated",
"conditions": [
{
"property": "IncidentStatus",
"operator": "Equals",
"value": "Active"
},
{
"property": "Severity",
"operator": "Equals",
"value": "High"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"order": 1,
"playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/MyPlaybook"
}
]
}
}SecurityAlert | where AlertName == "Malware detected" | extend entities = parse_json(Entities) | mv-expand entities | where entities.Type == "file" | project FileHash = entities.FileHash, AlertTime = TimeGenerated
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"name": "[concat(parameters('workspaceName'), '/TestSearch')]",
"apiVersion": "2020-08-01",
"properties": {
"displayName": "Test Search",
"category": "Test",
"query": "Heartbeat | summarize Count() by Computer",
"tags": []
}
}
]
}Refer to the exhibit.
```json
{
"properties": {
"displayName": "Suspicious Sign-in Detection",
"description": "Detects sign-ins from anomalous locations",
"severity": "Medium",
"query": "SigninLogs | where RiskLevelDuringSignIn == 'medium' | where Location != 'US'",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5
}
}
```Refer to the exhibit.
```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| extend ParentPID = InitiatingProcessParentFileName
| summarize Count = count() by DeviceName, InitiatingProcessFileName
| where Count > 10
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block malicious IPs",
"description": "Blocks IPs from threat intelligence feed",
"policyType": "Custom",
"mode": "Microsoft.Network/virtualNetworks",
"parameters": {
"listOfBlockedIPs": {
"type": "Array",
"metadata": {
"displayName": "List of blocked IPs",
"description": "IP addresses to block"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
"then": {
"effect": "deny"
}
}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "High severity incidents to Teams",
"order": 1,
"triggers": [
{
"type": "IncidentsTrigger",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "High"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"order": 1,
"playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/PostTeamsMessage"
}
]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"entityType": "Account",
"displayName": "testuser@contoso.com",
"aadUserId": "00000000-0000-0000-0000-000000000001",
"riskLevel": "high",
"riskDetail": "User performed anomalous sign-in from unfamiliar location",
"riskState": "atRisk",
"riskLastUpdatedDateTime": "2026-03-15T10:30:00Z"
}
}
```Refer to the exhibit.
```kql
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType !in ("0", "50125") // exclude success and password change
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 5
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Sensitive Data Access Alert",
"severity": "Medium",
"query": "OfficeActivity | where Operation == 'FileAccessed' and UserAgent contains 'Microsoft.Copilot' | project TimeGenerated, UserId, FileName",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5
}
}
```Refer to the exhibit. ```kusto SecurityIncident | where TimeGenerated > ago(7d) | summarize TotalIncidents = count() by Owner | where TotalIncidents > 10 | project Owner, TotalIncidents ```
Refer to the exhibit. ```azurecli az sentinel alert-rule create \ --resource-group rg-sentinel \ --workspace-name sentinel-workspace \ --rule-name "Suspicious Sign-in" \ --rule-type Scheduled \ --query "SigninLogs | where RiskLevelDuringSignIn == 'high'" \ --display-name "Suspicious Sign-in" \ --severity High \ --enabled true ```
Refer to the exhibit.
```json
{
"id": "playbook-logic-app",
"triggers": {
"When_a_response_to_a_Microsoft_Sentinel_alert_is_triggered": {
"kind": "Microsoft.EventGrid",
"inputs": {
"body": {
"alert": {
"properties": {
"providerAlertId": "@triggerBody()?['data']?['essentials']?['alertId']",
"correlationKey": "@triggerBody()?['data']?['essentials']?['correlationKey']"
}
}
}
}
}
},
"actions": {
"Compose_Teams_message": {
"kind": "Microsoft.Teams.PostMessage",
"inputs": {
"message": "Alert ID: @{triggerBody()?['data']?['essentials']?['alertId']}",
"recipient": "security-team-channel"
}
}
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(24h) | where AlertName == "Suspicious sign-in" | extend UserPrincipalName = tostring(Entities[0].AccountUpn) | where UserPrincipalName !endswith "@contoso.com" | project TimeGenerated, AlertName, UserPrincipalName ```
Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('workspaceName'), '/TestQuery')]",
"properties": {
"displayName": "Test Query",
"category": "Security",
"query": "SecurityEvent | where EventID == 4624 | count",
"tags": []
}
}
]
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block Malicious IP",
"logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/BlockIP",
"triggerConditions": [
{
"property": "Microsoft.Security.Incident",
"condition": "Equals",
"value": "High"
}
]
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(7d) | where AlertSeverity == "High" | where ProviderName == "Microsoft Defender for Endpoint" | summarize AlertCount = count() by AlertName, bin(TimeGenerated, 1d) | sort by AlertCount desc ```
Refer to the exhibit.
```powershell
$params = @{
ResourceGroupName = "SOC-RG"
WorkspaceName = "sentinel-workspace"
Name = "DailySummaryReport"
Enabled = $true
Description = "Generates daily incident summary"
DisplayName = "Daily Summary"
LogicAppResourceId = "/subscriptions/.../resourceGroups/SOC-RG/providers/Microsoft.Logic/workflows/DailySummary"
TriggerConditions = @(
@{
Property = "Microsoft.Security.Incident"
Condition = "Equals"
Value = "Medium"
}
)
}
New-AzSentinelAutomationRule @params
```Refer to the exhibit.
{
"properties": {
"displayName": "Sensitive Data Access",
"description": "Detect access to sensitive data",
"severity": "Medium",
"query": "SensitivityLabelEvent | where SensitivityLabelName contains \"Confidential\" | where OperationName == \"FileAccessed\"",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": ["Collection"],
"alertRuleTemplateName": null
}
}{"type": "Microsoft.SecurityInsights/alertRules", "apiVersion": "2023-02-01-preview", "properties": { "displayName": "MFA Disabled", "query": "IdentityInfo | where Timestamp > ago(5h) | where IsMfaRegistered == false", "triggerOperator": "gt", "triggerThreshold": 0, "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": false } } } }{
"properties": {
"displayName": "SOC Automation Rules",
"rules": [
{
"name": "High Severity Incidents",
"description": "Assign incidents with severity High to tier1 group and run a playbook.",
"actions": [
{ "order": 1, "actionType": "AddIncidentTask", "taskName": "Notify SOC Lead" },
{ "order": 2, "actionType": "RunPlaybook", "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/NotifySOC" },
{ "order": 3, "actionType": "ModifyIncident", "status": "Active", "owner": "SOC-Tier1@contoso.com" }
]
}
]
}
}let HeartbeatThreshold = 5m; Heartbeat | summarize LastHeartbeat = max(TimeGenerated) by Computer | where LastHeartbeat < ago(HeartbeatThreshold) | project Computer, LastHeartbeat, Status = 'Unhealthy'
Refer to the exhibit.
{
"properties": {
"displayName": "MFA Disabled Alert",
"description": "Alert when MFA is disabled for a user.",
"severity": "Medium",
"enabled": true,
"query": "IdentityLogonEvents | where Application == 'Microsoft Entra ID' | where ActionType == 'MFA disabled' | summarize Count=count() by AccountUpn",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false
}
}Refer to the exhibit.
```json
{
"properties": {
"displayName": "SOC Automation",
"description": "Playbook for automated incident response",
"state": "Enabled",
"triggers": [
{
"type": "Microsoft.SecurityInsights/Incident",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "High"
},
{
"property": "Status",
"operator": "Equals",
"value": "New"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookId": "/subscriptions/sub-123/resourceGroups/rg-sentinel/providers/Microsoft.Logic/workflows/playbook-assign-incident"
}
]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Investigate Malware",
"description": "Playbook to investigate malware alerts",
"state": "Enabled",
"triggers": [
{
"type": "Microsoft.SecurityInsights/AlertRule",
"conditions": [
{
"property": "AlertProvider",
"operator": "Contains",
"value": "Microsoft Defender for Endpoint"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookId": "/subscriptions/sub-1/resourceGroups/rg-sentinel/providers/Microsoft.Logic/workflows/playbook-malware-investigation"
}
]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Incident Response Workflow",
"description": "Automates incident response",
"triggers": [
{
"type": "Microsoft.SecurityInsights/Incident",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "Medium"
},
{
"property": "Owner",
"operator": "Equals",
"value": "Unassigned"
}
]
}
],
"actions": [
{
"type": "AssignIncident",
"assignedTo": "soc-team@contoso.com"
}
]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "DailyReport",
"description": "Sends daily security report",
"triggers": [
{
"type": "Recurrence",
"recurrence": {
"frequency": "Day",
"interval": 1,
"schedule": {
"hours": [8],
"minutes": [0]
}
}
}
],
"actions": [
{
"type": "SendEmail",
"inputs": {
"host": {
"connectionName": "office365",
"operationId": "SendEmailV2"
},
"parameters": {
"to": "security@contoso.com",
"subject": "Daily Security Report",
"body": "Report generated."
}
}
}
]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block High-Risk User",
"triggers": [
{
"type": "MicrosoftSentinelIncident",
"incident": {
"severity": "High",
"status": "New"
}
}
],
"actions": [
{
"type": "RunPlaybook",
"playbook": {
"id": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/BlockUser"
}
}
]
}
}
```Refer to the exhibit.
```json
{
"properties": {
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"alertRuleTemplateName": "Template101",
"enabled": true,
"displayName": "Test Rule"
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(1h) | summarize AlertCount = count() by AlertName, tostring(parse_json(Entities)[0].Type) | where AlertCount > 5 ```
You are the security operations analyst for a large enterprise that uses Microsoft Sentinel and Microsoft Defender XDR. The environment includes:
- 10,000 Windows 11 devices managed by Microsoft Intune - 5,000 macOS devices managed by Jamf Pro - 2,000 Linux servers running Ubuntu 22.04 - Microsoft 365 E5 licenses for all users - Microsoft Sentinel in the East US region - Microsoft Defender for Cloud Apps enabled - Microsoft Defender for Identity deployed - Microsoft Defender for Office 365 configured
You need to design a solution to meet the following requirements:
1. Ingest security events from all devices (Windows, macOS, Linux) into Microsoft Sentinel. 2. Ensure that all alerts from Microsoft Defender XDR components (including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps) are automatically correlated into incidents in Microsoft Sentinel. 3. Minimize latency between alert generation in Defender XDR and incident creation in Sentinel. 4. Use the least amount of administrative overhead.
What should you implement?
Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[concat(parameters('workspaceName'), '/MyRule')]",
"properties": {
"displayName": "My Rule",
"category": "Security",
"query": "SecurityEvent | where EventID == 4625",
"tags": []
}
}
]
}
```Refer to the exhibit.
{
"properties": {
"displayName": "Block malicious IPs",
"description": "Automatically block IPs from threat intelligence.",
"triggers": [
{
"type": "IncidentCreated"
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookResourceId": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Logic/workflows/BlockIPPlaybook"
}
]
}
}Refer to the exhibit. PowerShell output: PS C:\> Get-AzSentinelIncident -ResourceGroupName MyRG -WorkspaceName MyWorkspace | Select-Object -Property IncidentNumber, Status, Severity IncidentNumber Status Severity -------------- ------ -------- 1001 Active High 1002 Closed Medium 1003 Active Low 1004 New High
Refer to the exhibit. KQL query: SecurityAlert | where TimeGenerated > ago(7d) | summarize TotalAlerts = count() by AlertSeverity | order by AlertSeverity desc
{
"type": "Microsoft.SecurityInsights/automationRules",
"apiVersion": "2023-02-01-preview",
"name": "Auto-Close Low Severity",
"properties": {
"displayName": "Auto-Close Low Severity Incidents",
"order": 1,
"triggeringLogic": {
"conditions": [
{
"conditionProperties": {
"propertyName": "Severity",
"operator": "Equals",
"propertyValues": ["Low"]
},
"conditionType": "Property"
}
],
"triggersOn": "Incidents",
"triggersWhen": "Created"
},
"actions": [
{
"actionType": "ModifyProperties",
"actionConfiguration": {
"status": "Closed",
"classification": "TruePositive",
"classificationComment": "Auto-closed due to low severity."
}
}
]
}
}SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(24h) | summarize Count = count() by Account | where Count > 10
{
"properties": {
"displayName": "Incident Response Playbook",
"trigger": {
"type": "HttpTrigger",
"kind": "Default"
},
"definitions": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/workflows/definitions/2019-01-01-preview/schema.json",
"actions": {
"Send_email": {
"type": "ApiConnection",
"inputs": {
"host": {
"connectionName": "office365"
},
"method": "post",
"path": "/v2/Mail"
}
}
}
}
}
}Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malware detected on endpoint",
"description": "This incident indicates malware was detected on an endpoint.",
"severity": "High",
"status": "New",
"owner": {
"assignedTo": null,
"email": null
},
"labels": ["Malware", "Endpoint"],
"firstActivityTimeUtc": "2024-01-15T10:00:00Z",
"lastActivityTimeUtc": "2024-01-15T10:30:00Z"
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(7d) | where AlertName == "Suspicious process execution" | extend Entities = parse_json(Entities) | mv-expand Entities | where Entities.Type == "account" | project AccountUpn = Entities.Upn, AlertName, TimeGenerated | summarize Count = count() by AccountUpn | where Count > 5 ```
Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('workspaceName'), '/', parameters('ruleName'))]",
"properties": {
"category": "Security",
"displayName": "[parameters('ruleName')]",
"query": "SecurityEvent | where EventID == 4688 | where ProcessName endswith '\\powershell.exe'",
"tags": [
{ "name": "AlertSeverity", "value": "Medium" }
]
}
}
]
}
```Refer to the exhibit.
{
"properties": {
"displayName": "SOC Automation Rule",
"order": 1,
"triggeringLogic": {
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"property": "Status",
"operator": "Equals",
"value": "New"
}
]
},
"actions": [
{
"actionType": "ChangeStatus",
"status": "Active"
}
]
}
}Refer to the exhibit.
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[concat(parameters('workspaceName'), '/MaliciousIPDetection')]",
"properties": {
"category": "Security",
"displayName": "Malicious IP Detection",
"query": "Heartbeat | where TimeGenerated > ago(1d) | summarize Count=count() by Computer | where Count > 100"
}
}Refer to the exhibit.
$table = Get-AzOperationalInsightsTable -ResourceGroupName 'SOC-RG' -WorkspaceName 'SOC-Workspace' | Where-Object {$_.Name -eq 'SecurityEvent'}
$table.RetentionInDays = 365
$table.TotalRetentionInDays = 730
Set-AzOperationalInsightsTable -ResourceGroupName 'SOC-RG' -WorkspaceName 'SOC-Workspace' -Table $tableRefer to the exhibit.
```json
{
"properties": {
"displayName": "Block Tor IPs",
"description": "Blocks traffic from known Tor exit nodes.",
"ruleType": "Prevention",
"action": "Block",
"priority": 100,
"sourceAddress": ["138.197.0.0/16", "104.131.0.0/16"],
"destinationAddress": ["*"],
"sourcePorts": ["*"],
"destinationPorts": ["443", "80"],
"protocol": "TCP",
"direction": "Inbound"
}
}
```Refer to the exhibit. ```kusto DeviceProcessEvents | where Timestamp >= ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-e" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ```
Refer to the exhibit.
```json
{
"name": "IT-AAD-001",
"assignments": [
{
"group": "All Users",
"exclude": ["Emergency Break-Glass Accounts"]
}
],
"conditions": {
"applications": ["All applications"],
"users": ["All users"],
"locations": {
"include": ["All trusted locations"],
"exclude": ["All untrusted locations"]
}
},
"grantControls": {
"builtInControls": ["mfa", "requireCompliantDevice"]
}
}
```Refer to the exhibit.
```kusto
let TimeWindow = 1h;
let Threshold = 10;
SigninLogs
| where TimeGenerated >= ago(TimeWindow)
| where ResultType == "50057"
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > Threshold
| join kind=inner (
SigninLogs
| where TimeGenerated >= ago(TimeWindow)
| where ResultType == "0"
| summarize SuccessfulSignIns = count() by UserPrincipalName, IPAddress
) on UserPrincipalName, IPAddress
| project UserPrincipalName, IPAddress, FailedAttempts, SuccessfulSignIns
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malware Alert Auto-Isolate",
"triggers": [
{
"type": "Incident",
"conditions": [
{
"condition": "AlertTitle",
"operator": "Contains",
"value": "Malware"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookName": "IsolateDevice"
}
]
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where AlertSeverity == "High" | where TimeGenerated > ago(24h) | summarize AlertCount = count() by AlertName | where AlertCount > 10 | project AlertName, AlertCount ```
Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('workspaceName'), '/SampleSavedSearch')]",
"properties": {
"displayName": "Sample Saved Search",
"category": "Security",
"query": "SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(1h)",
"tags": []
}
}
]
}
```{"type": "Microsoft.SecurityInsights/automationRules", "properties": { "displayName": "High Severity Incident Response", "order": 1, "triggeringLogic": { "triggersOn": "Incidents", "triggersWhen": "Created", "conditions": [ { "operator": "Equals", "property": "Severity", "value": "High" } ] }, "actions": [ { "order": 1, "actionType": "RunPlaybook", "actionConfiguration": { "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/Playbook1" } } ] } }{"query": "SecurityAlert | where TimeGenerated > ago(7d) | summarize AlertCount = count() by AlertName, Severity | order by AlertCount desc | take 10"}{"properties": { "enabled": true, "dataTypes": { "WindowsEvent": { "state": "Enabled" }, "SecurityEvent": { "state": "Enabled" } }, "workspaceId": "<workspace-id>" } }Refer to the exhibit.
{
"type": "Microsoft.SecurityInsights/automationRules",
"apiVersion": "2023-02-01-preview",
"properties": {
"displayName": "Auto-assign critical incidents",
"order": 1,
"triggeringLogic": {
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "High"
}
]
},
"actions": [
{
"order": 1,
"actionType": "ModifyProperties",
"actionConfiguration": {
"severity": "Medium",
"owner": {
"assignedTo": "SOC-Tier2"
}
}
}
]
}
}Refer to the exhibit. SecurityAlert | where AlertName has "Malware" | summarize count() by AlertSeverity | project AlertSeverity, Count
Refer to the exhibit.
$alert = Get-MpThreatDetection | Where-Object {$_.ThreatName -like "*Trojan*"}
if ($alert) {
Start-MpScan -ScanType QuickScan
}Refer to the exhibit.
```json
{
"properties": {
"ruleId": "6b1c0a1e-0e1f-4b1a-8e1f-1a2b3c4d5e6f",
"displayName": "Suspicious Sign-in from Anonymous IP",
"enabled": true,
"query": "SigninLogs
| where Location == 'Unknown'
| where TimeGenerated > ago(7d)
| summarize count() by UserPrincipalName
| where count_ > 3",
"queryFrequency": "PT1H",
"queryPeriod": "PT7D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"severity": "Medium",
"suppressionDuration": "PT6H",
"suppressionEnabled": true
}
}
```Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "SentinelWorkspace"
},
"location": {
"value": "eastus"
},
"sku": {
"value": "PerGB2018"
},
"retentionInDays": {
"value": 90
},
"dataRetentionForDailyQuotaInGB": {
"value": 5
},
"dailyQuotaInGB": {
"value": 10
}
}
}
```Refer to the exhibit. ```kusto SigninLogs | where TimeGenerated > ago(1d) | where RiskLevelDuringSignIn == "high" | where RiskLevelAggregated == "high" | project UserPrincipalName, IPAddress, RiskLevelDuringSignIn, RiskLevelAggregated | summarize count() by UserPrincipalName | where count_ > 5 ```
{
"properties": {
"displayName": "SOC_IR_Playbook",
"trigger": {
"type": "Microsoft.SecurityInsights/AlertRule",
"inputs": {
"alertRuleId": "a8144c0a-...",
"severity": ["High"]
}
},
"actions": [
{
"type": "Microsoft.SecurityInsights/IncidentTask",
"inputs": {
"title": "Create ServiceNow ticket",
"description": "Create a ticket in ServiceNow for this incident"
}
},
{
"type": "Microsoft.SecurityInsights/IncidentTask",
"inputs": {
"title": "Notify SOC manager",
"description": "Send email notification"
}
}
]
}
}