Exam Ref SC-200

Microsoft Security
Operations Analyst

Yuri Diogenes
Jake Mowrer
Sarah Young
Exam Ref SC-200 Microsoft Security CREDITS

Operations Analyst EDITOR-IN-CHIEF

Brett Bartow
Published with the authorization of Microsoft Corporation by:
Pearson Education, Inc. EXECUTIVE EDITOR
Loretta Yates
COPYRIGHT © 2022 BY PEARSON EDUCATION, INC.
All rights reserved. This publication is protected by copyright, and permission must DEVELOPMENT EDITOR
be obtained from the publisher prior to any prohibited reproduction, storage in a Rick Kughen
retrieval system, or transmission in any form or by any means, electronic, mechani- SPONSORING EDITOR
cal, photocopying, recording, or likewise. For information regarding permissions,
Charvi Arora
request forms, and the appropriate contacts within the Pearson Education Global
Rights & Permissions Department, please visit www.pearson.com/permissions MANAGING EDITOR
No patent liability is assumed with respect to the use of the information contained Sandra Schroeder
herein. Although every precaution has been taken in the preparation of this book, PROJECT EDITOR
the publisher and author assume no responsibility for errors or omissions. Nor Dan Foster
is any liability assumed for damages resulting from the use of the information
contained herein. COPY EDITOR
Rick Kughen
ISBN-13: 978-0-13-756835-2
ISBN-10: 0-13-756835-5 INDEXER
Library of Congress Control Number: xxxxxxxxxx Valerie Haynes Perry
ScoutAutomatedPrintCode PROOFREADER
Scout Festa
TRADEMARKS
Microsoft and the trademarks listed at http://www.microsoft.com on the TECHNICAL EDITOR
“Trademarks” webpage are trademarks of the Microsoft group of companies. Nicholas DiCola
All other marks are property of their respective owners. EDITORIAL ASSISTANT
WARNING AND DISCLAIMER Cindy Teeters
Every effort has been made to make this book as complete and as accurate as COVER DESIGNER
possible, but no warranty or fitness is implied. The information provided is on Twist Creative, Seattle
an “as is” basis. The author, the publisher, and Microsoft Corporation shall have
neither liability nor responsibility to any person or entity with respect to any loss COMPOSITOR
or damages arising from the information contained in this book or from the use Danielle Foster
of the programs accompanying it.

SPECIAL SALES
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs;
and content particular to your business, training goals, marketing focus,
or branding interests), please contact our corporate sales department at
[email protected] or (800) 382-3419.
For government sales inquiries, please contact [email protected].
For questions about sales outside the U.S., please contact [email protected].
Contents at a glance

Introduction xv

CHAPTER 1 Mitigate threats using Microsoft 365 Defender 1

CHAPTER 2 Mitigate threats using Azure Defender 121
CHAPTER 3 Mitigate threats using Azure Sentinel 185

Index 303
Contents

Introduction xv
Organization of this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Preparing for the exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Microsoft certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Errata, updates & book support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvi

Stay in touch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xvi

Chapter 1 Mitigate threats using Microsoft 365 Defender 1

Skill 1-1: Detect, investigate, respond, and remediate threats
to the productivity environment using Microsoft Defender
for Office 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Examine a malicious spear phishing email 2
Configuring a Safe Links policy 3
Malicious attachments 9
Anti-phishing policies 14
Attack Simulation Training 24
Data protection, labeling, and insider risk 30
Investigate and remediate an alert raised by
Microsoft Defender for Office 365 35

Skill 1-2: Detect, investigate, respond, and remediate endpoint

threats using Microsoft Defender for Endpoint . . . . . . . . . . . . . . . . . . . . . . 40
Configuring Microsoft Defender for Endpoint 41
Respond to incidents and alerts 55
Creating custom detections 70
Managing risk through security recommendations and
vulnerability management 81

V
 Skill 1-3: Detect, investigate, respond, and remediate identity threats . . . . 89
Identifying and responding to Azure Active Directory
identity risks 89
Identifying and responding to Active Directory Domain
Services threats using Microsoft Defender for Identity 95
Using Microsoft Cloud App Security to identify and respond
to threats in Software as a Service 99

Skill 1-4: Manage cross-domain investigations in the Microsoft 365

Defender Security portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Examine a cross-domain incident 105
Manage a cross-domain incident using
Microsoft 365 Defender 106

Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Securing Contoso Corporation from modern threats 118

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Chapter 2 Mitigate threats using Azure Defender 121

Skill 2-1 Design and configure an Azure Defender implementation . . . . . .121
Plan and configure Azure Defender settings,
including selecting target subscriptions and workspace 122
Configure Azure Defender roles 124
Configure data retention policies 126
Assess and recommend cloud workload protection 128

Skill 2-2: Plan and implement the use of data connectors for
ingestion of data sources in Azure Defender . . . . . . . . . . . . . . . . . . . . . . . 132
Identify data sources to be ingested for Azure Defender 132
Configure automated onboarding for Azure resources and
data collection 133
Connect on-premises computers 136
Connect AWS cloud resources 140
Connect GCP cloud resources 143

vi CONTENTS
 Skill 2-3: Manage Azure Defender alert rules . . . . . . . . . . . . . . . . . . . . . . . . . . 145
alidate alert configuration 146
Set up email notifications 150
Create and manage alert suppression rules 151

Skill 2-4 Configure automation and remediation . . . . . . . . . . . . . . . . . . . . . . 153

Configure automated response in Azure Security Center 154
Design and configure a playbook in Azure Defender 156
Remediate incidents by using Azure Defender
recommendations 161
Create an automatic response using an Azure
Resource Manager template 163

Skill 2-5: Investigate Azure Defender alerts and incidents . . . . . . . . . . . . . . 164

Describe alert types for Azure workloads 164
Manage security alerts 173
Manage security incidents 175
Analyze Azure Defender threat intelligence 178
Respond to Azure Defender Key Vault alerts 179
Manage user data discovered during an investigation 181
Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Monitoring security at Tailwind Traders 181

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Chapter 3 Mitigate threats using Azure Sentinel 185

Skill 3-1 Design and configure an Azure Sentinel workspace . . . . . . . . . . . 186
Plan an Azure Sentinel workspace 186
Configure Azure Sentinel roles 190
Design Azure Sentinel data storage 193
Configure Azure Sentinel service security 195

Skill 3-2: Plan and implement the use of data connectors for
the ingestion of data sources into Azure Sentinel . . . . . . . . . . . . . . . . . . . 196
Identify data sources to be ingested into Azure Sentinel 196
Identify the prerequisites for a data connector 199
Configure and use Azure Sentinel data connectors 200

CONTENTS VII
 Design and configure Syslog and CEF event collections 202
Design and configure Windows Events collections 205
Configure custom threat intelligence connectors 211
Create custom logs in Azure Log Analytics to store
custom data 214
Custom log ingestion via the Azure Monitor HTTP
Data Collector API 215
Custom log ingestion via Azure Logic Apps 215

Skill 3-3: Manage Azure Sentinel analytics rules . . . . . . . . . . . . . . . . . . . . . . . 220

Design and configure analytics rules 220
Create custom analytics rules to detect threats 224
Activate Microsoft security analytics rules 227
Configure connector-provided scheduled ueries 229
Configure custom scheduled ueries 230
Define incident creation logic 231
Kusto Query Language (KQL) 232

Skill 3-4 Configure Security Orchestration, Automation,

and Response (SOAR) in Azure Sentinel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Create Azure Sentinel Playbooks 236
Use Playbooks to remediate threats 242
Use Playbooks to manage incidents 243
Use Playbooks across Microsoft Defender solutions 244

Skill 3-5: Manage Azure Sentinel incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Investigate incidents in Azure Sentinel 249
Triage incidents in Azure Sentinel 254
Respond to incidents in Azure Sentinel 255
Investigate multi-workspace incidents 256
Identify advanced threats with user and entity
behavior analytics (UEBA) 257

Skill 3-6: Use Azure Sentinel workbooks to analyze and

interpret data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Activate and customize Azure Sentinel workbook templates 262
Create custom workbooks 266
Configure advanced visualizations 269

viii CONTENTS
 View and analyze Azure Sentinel data using workbooks 272
Track incident metrics using the security operations
efficiency workbook 274

Skill 3-7: Hunt for threats using the Azure Sentinel portal . . . . . . . . . . . . . . 276
Create custom hunting queries 277
Run hunting queries manually 279
Monitor hunting queries by using Livestream 281
Track query results with bookmarks 284
Use hunting bookmarks for data investigations 288
Convert a hunting query to an analytics rule 292
Perform advanced hunting with notebooks 295

Thought experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Security operations at Contoso Ltd. 301

Thought experiment answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Index 303

CONTENTS IX
Acknowledgments

The authors would like to thank Loretta Yates and the entire Microsoft Press/Pearson team for
their support in this project, and Nicholas DiCola for reviewing the book.
Yuri would also like to thank: My wife and daughters for their endless support; my great
God for giving me strength and guiding my path on each step of the way; and my great friends
and co-authors Sarah Young and Jake Mowrer for this amazing partnership. My manager Re-
becca, for always encouraging me to achieve more and stretch myself to the next level. Thanks
for the support from our learning team, especially Brandon Neeb, for their contribution to this
project. Last but not least, thanks to my parents for working hard to give me an education,
which is the foundation I use every day to keep moving forward in my career.
Sarah would like to thank Grayson, who has sat providing (mostly) silent writing support
every day; Erica for being the greatest friend and security inspiration; and both Yuri and Jake
for being the best co-authors anyone could ever ask for. My many Microsoft colleagues who
have championed and supported me to get me to the role I am in today. There are many, but
in particular, my manager Kara and mentors Pen, Colleen, Shelly, Gary, Hany, Ping, Mark, Harry,
and Hana-San. My most special thanks are saved for my parents and grandparents, who gave
so much for my education, taught me the value of hard work and integrity, and continue to
support me in every way possible.
Jake thanks his wife, Jennifer, and four sons, Ryker, Mikey, Dylan, and Zach, for their love
and encouragement. To Yuri Diogenes: Without his leadership and drive, this book would
not have been possible. A big thank you to the leadership and my colleagues in the Microsoft
Defender Customer Acceleration Team, whose knowledge and mentorship shaped the content
in this book. To Moti, Raviv, and all friends and colleagues in the Israel Research and Develop-
ment Center, Redmond, and India Development Center at Microsoft for constantly innovating
to protect customers. A very special thank you to my parents, who taught me that hard work,
positive attitude, dedication, and kindness would lead to success.

XI
About the authors

Yuri Diogenes, MsC is a Master of science in cybersecurity intelligence and forensics inves-
tigation (UTICA College), and a Principal Program Manager in the Microsoft CxE ASC Team,
where he primarily helps customers onboard and deploy Azure Security Center and Azure
Defender as part of their security operations/incident response. Yuri has been working for
Microsoft since 2006 in different positions. He spent five years as senior support escalation
engineer on the CSS Forefront Edge Team, and from 2011 to 2017, he worked on the content
development team, where he also helped create the Azure Security Center content experience
since its GA launch in 2016. Yuri has published a total of 26 books, mostly covering information
security and Microsoft technologies. Yuri also holds an MBA and many IT/Security industry
certifications, such as CISSP, E C D, E CEH, E CSA, E CHFI, CompTIA Security , CySA , Cloud Es-
sentials Certified, Mobility , etwork , CASP, CyberSec First Responder, MCSE, and MCTS. ou
can follow Yuri on Twitter at @yuridiogenes.

Sarah Young is a senior program manager in the Azure Sentinel CxE team, where she works
with Microsoft customers to remove technical blockers for deployment. Having worked with
Azure Sentinel since it was announced at RSA 2019, Sarah has extensive knowledge of the plat-
form and has helped it develop and grow. Sarah is an experienced public speaker and has pre-
sented on a range of IT security and technology topics at industry events, both nationally and
internationally. She holds numerous industry ualifications, including CISSP, CCSP, CISM, and
Azure Solutions Architect. In 2019, Sarah won the Security Champion award at the Australian
Women in Security Awards. She is an active supporter of both local and international security
and cloud-native communities. You can follow Sarah on Twitter at @_sarahyo.

Jake Mowrer is a Principal Program Manager in the Microsoft 365 Defender Customer
Acceleration Team and a 25-year IT veteran. He helps some of the world’s largest companies
deploy Microsoft Defender for Endpoint and assists security operations teams with integrating
Microsoft 365 Defender into their existing processes. Jake’s deep knowledge in Microsoft De-
fender for Endpoint originated in 2016 when he was trained by Microsoft’s development team
in Herzliya, Israel, and he has since delivered technical sessions for private and public entities,
as well as at technical conferences around the world. In 2020, Jake founded IronSpire Internet
Security, a company focused on protecting homes and small businesses from cyber threats.
You can follow Jake on Twitter at @JakeMowrerMSFT and @IronspireS.

XIII
Introduction

The SC-200 exam deals with technologies that are relevant for Microsoft Security Operations
Analysts who collaborate with organizational stakeholders to secure information technology
systems for the organizations. This exam cover topics that will help to reduce organizational risk
by rapidly remediating active attacks in the environment, advising on improvements to threat
protection practices, and referring violations of organizational policies to appropriate stakehold-
ers. The exam also covers topics such as investigation and response for threats using Microsoft
Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security products.
This book covers every major topic area found on the exam, but it does not cover every
exam question. Only the Microsoft exam team has access to the exam questions, and Micro-
soft regularly adds new uestions to the exam, making it impossible to cover specific ues-
tions. You should consider this book a supplement to your relevant real-world experience and
other study materials. If you encounter a topic in this book that you do not feel completely
comfortable with, use the eed more review links you ll find in the text to find more infor-
mation and take the time to research and study the topic. Great information is available on
docs.microsoft.com, at MS Learn, and in blogs and forums.

Organization of this book

This book is organized by the “Skills measured” list published for the exam. The “Skills mea-
sured” list is available for each exam on the Microsoft Learning website: http://aka.ms/examlist.
Each chapter in this book corresponds to a major topic area in the list, and the technical tasks in
each topic area determine that chapter’s organization. If an exam covers six major topic areas,
for example, the book will contain six chapters.

Preparing for the exam

Microsoft certification exams are a great way to build your r sum and let the world know
about your level of expertise. Certification exams validate your on-the- ob experience and
product knowledge. Although there is no substitute for on-the-job experience, preparation
through study and hands-on practice can help you prepare for the exam. This book is not
designed to teach you new skills.

XV
 We recommend that you augment your exam preparation plan by using a combination of
available study materials and courses. For example, you might use the Exam Ref and another
study guide for your at home preparation and take a Microsoft Official Curriculum course
for the classroom experience. Choose the combination that you think works best for you.
Learn more about available classroom training and find free online courses and live events
at http://microsoft.com/learn. Microsoft Official Practice Tests are available for many exams at
http://aka.ms/practicetests.
Note that this Exam Ref is based on publicly available information about the exam and the
authors’ experience. To safeguard the integrity of the exam, authors do not have access to the
live exam.

Microsoft certification
Microsoft certifications distinguish you by proving your command of a broad set of skills and
experience with current Microsoft products and technologies. The exams and corresponding
certifications are developed to validate your mastery of critical competencies as you design
and develop, or implement and support, solutions with Microsoft products and technologies
both on-premises and in the cloud. Certification brings a variety of benefits to the individual
and to employers and organizations.

MORE INFO ALL MICROSOFT CERTIFICATIONS

For information about Microsoft certifications, including a full list of available certifications,
go to http://www.microsoft.com/learn.

Check back often to see what is new!

Errata, updates & book support

We’ve made every effort to ensure the accuracy of this book and its companion content. You
can access updates to this book—in the form of a list of submitted errata and their related
corrections—at:
MicrosoftPressStore.com/ExamRefSC200/errata
If you discover an error that is not already listed, please submit it to us at the same page.
For additional book support and information, please visit MicrosoftPressStore.com/Support.

xvi INTRODUCTION
 Please note that product support for Microsoft software and hardware is not offered
through the previous addresses. For help with Microsoft software or hardware, go to
http://support.microsoft.com.

Stay in touch
Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.

INTRODUCTION XVII
CHAPTER 2

Mitigate threats using

Azure Defender
One critical component of any Security Operations Center (SOC) is the quality of the alert
that is received from a given data source. The quality of the alert can be measured by the
relevance of the information contained in the alert, how that alert reflects into the threat
vectors of a cloud workload, and how these indications can help security operation analysts
to investigate and respond to that alert. Azure Defender has different plans that offer threat
detections for specific workloads, based on analytics that were created specifically for the
threat vector of the workload’s type.
To mitigate threats using Azure Defender you must be able to design, configure, and
manage the different types of Azure Defender plans, manage rules, and understand how
to investigate and automate response.

Skills covered in this chapter:

■ Design and configure an Azure Defender implementation
■ Plan and implement the use of data connectors for ingestion of data in Azure Defender
■ Manage Azure Defender alert rules
■ Configure automation and remediation
■ Investigate Azure Defender alerts and incidents

Skill 2-1: Design and configure an Azure Defender

implementation
Before implementing Azure Defender it is important to understand the different design
considerations that will directly affect how you configure the solution based on the scenario s
re uirements. This section of the chapter covers the skills necessary to design and configure
Azure Defender implementation according to the SC-200 exam outline.

121
 Plan and configure Azure Defender settings, including
selecting target subscriptions and workspace
When planning to use Azure Defender, you must understand the requirements for the type of
plan that you want to implement. If you are planning the implementation of Azure Defender
for Servers, Azure Defender for Kubernetes, or Azure Defender for SQL Server on Machines,
you also need to consider the requirement to deploy the Log Analytics (LA) Agent to the
machines. By doing so, you will need to select the workspace to which the agent will send
the information.
Other Azure Defender plans that are based on other Azure Platform as a Service (PaaS)
offerings don t re uire a workspace configuration in the beginning. This includes plans such as
Azure Defender for Key Vault, Azure Defender for App Service, Azure Defender for Resource
Manager, Azure Defender for Storage, Azure Defender for Containers Registries, Azure De-
fender for SQL database, and Azure Defender for D S. ou will only need to configure a work-
space for these Azure Defender plans if you consider utilizing the continuous export capability
in Azure Security Center. This feature is often used in the following scenarios:
■ When the organization wants to store all alerts that are triggered by all Azure Defender
plans in the workspace because. By default, only VM-based alerts are stored in
the workspace.
■ When the organization wants to store all security recommendations or regulatory
compliance information in the workspace.
■ When the organization needs to send the alerts to a security information and event
management (SIEM) via Azure Event Hub.
When you first activate Azure Security Center, the auto-provisioning feature is not enabled.
However, if you want to ensure that all Ms are automatically configured to receive the LA
agent and send the data to the correct workspace, you should enable this option. When auto-
provisioning is enabled, and the Connect Azure VMs To The Default Workspace(s) Created
By Security Center option is selected, Security Center will automatically create and manage a
new workspace. Security Center creates a new resource group and a workspace (called default
workspace) in the same geolocation of the VM and connects the agent to that workspace. The
naming conventions for the default workspace and resource group are shown below:
■ Workspace DefaultWorkspace-[subscription-ID]-[geo]

■ Resource Group DefaultResourceGroup-[geo]

The fact that a default workspace is created according to the geolocation of the VM is an
advantage if your design requirements dictates that you need to ensure that the data sent
from the VM is stored in the same region as the VM’s location. Table 2-1 shows where the work-
space will reside according to the VM’s location:

122 CHAPTER 2 Mitigate threats using Azure Defender

TABLE 2-1 VM and workspace locations

VM Location Workspace Location

United States and Brazil United States

Canada Canada

Europe Europe

United Kingdom United Kingdom

East Asia and Southeast Asia Asia

Korea Korea

India India

Japan Japan

China China

Australia Australia

If your organization is already utilizing a Log Analytics workspace and it wants to leverage
the same workspace for Security Center, you should select the Connect Azure VMs To A
Different Workspace option and specify the workspace, which can be any workspace across
all selected subscriptions within the same tenant.
The general best practice for workspace creation is to keep it as minimal as possible, which
is not the case when you configure Security Center to manage the workspaces. When reading
a scenario in the SC-200 exam, take into consideration the business requirements as well as the
technical requirements. These requirements will lead you to select one of these two options:
■ You could use the default workspace, which can create a lot of workspaces according to
the regions where the company’s VMs reside
■ You could take a more centralized approach where all VMs across all subscriptions will
have to send data to a single workspace.

IMPORTANT BEST PRACTICES

If you plan to use the same workspace for Azure Sentinel and Azure Security Center, make
sure to read the best practices highlighted in this post: http://aka.ms/ascbooklawbp.

The actual steps to configure auto-provisioning and specify the workspace are provided
later in this chapter.

Skill 2-1 Design and configure an Azure Defender implementation CHAPTER 2 123
 Configure Azure Defender roles
Security Center uses Role-Cased Access Control (RBAC) based in Azure. By default, there are
two roles in Security Center: Security Reader and Security Admin. The Security Reader
role should be assigned to all users that need read access only to the dashboard. For example,
Security Operations personnel that needs to monitor, and respond to security alerts, should be
assigned the Security Reader role. It is important to mention that the assignment of this role is
done in the Azure level, under the resource group that Security Center is monitoring, and using
Access Control (IAM), as shown in Figure 2-1.

FIGURE 2-1 Access control in Azure

Workload owners usually need to manage a particular cloud workload and its related
resources. Besides that, the workload owner is responsible for implementing and maintaining
protections in accordance with company security policy. Security Admin role should be
assigned for users that need to manage Security Center configuration.
Only subscription Owners/Contributors and Security Admins can edit a security
policy. Only subscription and resource group Owners and Contributors can apply security
recommendations for a resource. To enable Azure Defender, you need Security Admin or
Subscription Owner privilege. To learn more about Role-Based Access Control (RBAC) in
Azure, visit http://aka.ms/azurerbac.

Custom roles
There will be some scenarios where the organization may want to provide a more granular
privilege for some users instead of granting access to the entire Security Admin access role.
Consider an organization called Contoso that needs to provide privilege to security opera-
tion analysts to simply visualize and create alert-suppression rules. In this case, the Security
Admin role provides more privileges than what is necessary. For scenarios like this, you can
create a custom role in Azure and assign write privilege to this operation: Microsoft.Security/
alertsSuppressionRules/write.

MORE INFO CREATING CUSTOM ROLES

To create custom roles, see http://aka.ms/SC200_CustomRole.

124 CHAPTER 2 Mitigate threats using Azure Defender

 Another common scenario is when an organization needs to create a custom role to allow
users to configure or edit the ust-in-time ( IT) M access. ou need a set of privileges to work
with JIT; these privileges will vary according to the type of operation that you need to perform
or that you want to allow a user to perform. You can be very granular about this permission
assignment by using these guidelines:
To configure or edit a IT policy for a M, you need to assign these actions to the role
■ On the scope of a subscription or resource group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/write.

■ On the scope of a subscription or resource group of VM: Microsoft.Compute/

virtualMachines/write.

To request access to a VM, you need to assign these actions to the user:
■ On the scope of a subscription or resource group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action.

■ On the scope of a subscription or resource group that is associated with the VM:
Microsoft.Security/locations/jitNetworkAccessPolicies/*/read.

■ On the scope of a subscription or resource group or VM: Microsoft.Compute/

virtualMachines/read.

■ On the scope of a subscription or resource group or VM: Microsoft.Network/

networkInterfaces/*/read.

On the scope of a subscription, resource group, or VM that you need to read JIT policies, assign
these actions to the user:
■ Microsoft.Security/locations/jitNetworkAccessPolicies/read

■ Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action

■ Microsoft.Security/policies/read

■ Microsoft.Security/pricings/read

■ Microsoft.Compute/virtualMachines/read

■ Microsoft.Network/*/read

Also, if you need to see the JIT NSG policy from the VM—Networking blade, you need to add
the following policies:
■ Microsoft.Network/networkSecurityGroups/read

■ Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read

■ Microsoft.Network/networkSecurityGroups/securityRules/read

While the permissions above can be utilized to apply the principle of least privilege, keep in
mind that you will need to merge some permissions if you are accessing via the Azure portal.
For example, to configure or edit a IT policy for a M, you will need the privileges given and
the privileges to read JIT policies.

Skill 2-1 Design and configure an Azure Defender implementation CHAPTER 2 125
 Configure data retention policies
Azure Defender provides 500 MB per node, per day of free allowance for the data allocated in
the Log Analytics workspace against the following subsets of security data types:
■ WindowsEvent

■ SecurityAlert

■ SecurityBaseline

■ SecurityBaselineSummary

■ SecurityDetection

■ SecurityEvent

■ WindowsFirewall

■ MaliciousIPCommunication

■ LinuxAuditLog

■ SysmonEvent

■ ProtectionStatus

Update and UpdateSummary data types can be used when the Update Management solution
is not running on the workspace or when solution targeting is enabled.
If the workspace is in the legacy Per Node pricing tier, the Azure Defender and Log Analytics
allocations are combined and applied ointly to all billable ingested data. When you configure
Azure Defender to utilize a workspace, the data will be stored there is going to be available
for 30 days by default. However, you can configure data retention at the workspace level up
to 730 days (2 years) for all workspaces unless they are using the legacy free tier (for example,
when using Azure Security Center without upgrading to Azure Defender).

IMPORTANT AZURE MONITOR PRICING

When you choose to extend your data retention for the workspace used by Azure Defender,
extra charges will be applied as per Log Analytics workspace pricing. If the same workspace
is shared with Azure Sentinel, you get 0 days of data retention included. isit the Azure
Monitor pricing page for more information about the current pricing:
https://azure.microsoft.com/en-us/pricing/details/monitor/.
https://azure.microsoft.com/en-us/pricing/details/monitor/

Depending on the scenario that you are addressing, you might need to extend the data
retention to more than 30 days. Make sure to always review the business and technical require-
ments of the scenario for hints about data retention. Once you determine the data retention
goal, follow the steps below to configure data retention in Log Analytics workspace
1. Navigate to the Azure portal by opening https://portal.azure.com.
2. In the search bar, type log ana, and under Services, click Log Analytics Workspaces.
3. In the Log Analytics Workspaces dashboard, click the workspace for which you want
to configure data retention.

126 CHAPTER 2 Mitigate threats using Azure Defender

4. In the left navigation pane, in the General section, click Usage And Estimated Costs.
The Usage And Estimated Costs page appears, as shown in Figure 2-2.

FIGURE 2-2 Log Analytics workspace usage and cost

5. Click the Data Retention button, and the Data Retention blade appears, as shown in
Figure 2-3.

FIGURE 2-3 Configuring data retention for the Log Analytics workspace

Skill 2-1 Design and configure an Azure Defender implementation CHAPTER 2 127
 6. You can use the Data Retention (Days) slider to increase the number of days that you
want to retain the data. Once you finish, click the OK button to commit the changes.
ou can also utilize an Azure Resource Manager (ARM) template to configure data reten-
tion by using the retentionInDays parameter. The advantage of using an ARM template for
this operation is that you can apply in scale, and you can also customize other parameters.
For example, if the scenario requires that you set the data retention to 30 days and trigger an
immediate purge of older data, you can do that by using the immediatePurgeDataOn30Days
parameter, which eliminates the grace period. This configuration could also be useful for
compliance-related scenarios where immediate data removal is mandatory.
While the extension of the data retention policy for the entire workspace is usually the most
common scenario, there are some situations that you might need to change the data retention
based on a specific data type. Retention settings for individual data types are available from
4 to 730 days (except for workspaces in the legacy free tier). These settings will override the
workspace-level default retention. You will also need to use ARM to change this setting. In the
example below, the data retention for the SecurityEvent data type is being changed to 550 days:
PUT /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/
MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/
Tables/SecurityEvent?api-version=2017-04-26-preview
{
"properties":
{
"retentionInDays": 550
}
}

EXAM TIP
When evaluating a scenario in the SC-200 exam, look for business requirements that lead
to cost savings on data. Changing data retention only in certain data types can be used to
reduce overall costs for data retention.

Assess and recommend cloud workload protection

As enterprises start their ourneys to the cloud, they will face many challenges as they adapt
their on-premises tools to a cloud-based model. In a cloud environment where there are
different workloads to manage, it becomes imperative to have ongoing verification and cor-
rective actions to ensure that the security posture of those workloads is always at the highest
possible quality.
Security Center has a variety of capabilities that can be used in two categories of cloud solutions:
■ Cloud Security Posture Management (CSPM) This enables organizations to assess
their cloud infrastructure to ensure compliance with industry regulations and identify
security vulnerabilities in their cloud workloads.

128 CHAPTER 2 Mitigate threats using Azure Defender

 ■ Cloud Workload Protection Platform (CWPP) This enables organizations to assess
their cloud workload risks and detect threats against their servers (IaaS), containers,
databases (PaaS), and storage. It also allows organizations to identity faulty configura-
tions and remediate those with security best-practice configurations. To use the CWPP
capabilities, you need to upgrade to Azure Defender.
With an Azure subscription, you can activate the free tier of Security Center, which monitors
compute, network, storage, and application resources in Azure. It also provides security policy,
security assessment, security recommendations, and the ability to connect with other security
partner solutions.
Even organizations that are getting started with Infrastructure as a Service (IaaS) in Azure
can benefit from this free service because it will improve their security postures. When you
upgrade your Security Center subscription from the free tier to Azure Defender, the Azure
Defender for Servers will be automatically enabled. With this plan, the following features will
be available:
■ Security event collection and advanced search
■ Network Map
■ Just-in-time VM Access
■ Adaptive application controls
■ Regulatory compliance reports
■ File integrity monitoring
■ Network Security Group (NSG) hardening
■ Security alerts
■ Threat protection for Azure VMs, non-Azure VMs, and PaaS services
■ Integration with Microsoft Defender for Endpoint (MDE)
■ Integration with Microsoft Cloud App Security (MCAS)
■ Multi-cloud support for Amazon Web Services (AWS) and Google Cloud Platform (GCP)
■ Vulnerability assessment integration with Qualys
Another advantage of upgrading to Azure Defender is that it allows you to monitor on-
premises resources and VMs hosted by other cloud providers. You achieve this by onboarding
your machine using Azure Arc and then installing the Log Analytics agent on the target machine.

Assessment and recommendations

Security Center will identify resources (compute, network, storage, identity, and application)
that need security recommendations and will automatically suggest changes. You can see all
recommendations in a single place, which is available under General > Recommendations.
There, you can see security controls, as shown in Figure 2-4.

Skill 2-1 Design and configure an Azure Defender implementation CHAPTER 2 129
 FIGURE 2-4 Security recommendations in Azure Security Center

During this initial assessment, Azure Security Center will also identify which workloads are
available in the subscription. Also, it will suggest enabling the different Azure Defender plans
for cloud workload protection. All plans will be part of the Azure Defender security control, as
shown in Figure 2-5.

FIGURE 2-5 Enable Azure Defender security control

130 CHAPTER 2 Mitigate threats using Azure Defender

Enabling Azure Defender
To enable Azure Defender, you can click each recommendation and follow the remediation
steps, go to the Price & Settings option in the left navigation pane, select the subscription,
and select the plans you want to utilize. To review the pricing selection, click the Price & Set-
tings option in the left navigation pane, and under Management, click the subscription on
which you want to enable Azure Defender. The Azure Defender plans page will appear, as
shown in Figure 2-6.

FIGURE 2-6 Pricing page showing the different Azure Defender plans

On this page, you can change the toggle to ON or OFF, where ON means that the Azure De-
fender plan is enabled on the selected subscription. While most of the Azure Defender plans can
only be enabled on the subscription level, there are a couple that can be enabled individually:
■ Azure Defender for SQL (Azure SQL Database)
■ Azure Defender for Storage (Storage)
In both cases, you can toggle these to the OFF setting on this page, and you can go to each
Azure SQL database or each Azure Storage account and enable Azure Defender from there.
You might do this if the business requirement is to save cost by only enabling Azure Defender
for SQL or Azure Defender for Storage on a company’s most critical assets, rather than enabling
them for the entire subscription.
Make sure to analyze the business requirements that will guide you when deciding whether
to disable it at the subscription level and enable it on each resource. If you need to enable
Azure Defender in scale, you can also use ARM Templates or Azure Policy.

Skill 2-1 Design and configure an Azure Defender implementation CHAPTER 2 131
 Skill 2-2: Plan and implement the use of data connectors
for ingestion of data sources in Azure Defender
When you upgrade from Azure Security Center to Azure Defender, you can start monitoring
the security posture of different cloud providers, including Amazon Web Service (AWS) and
Google Cloud Platform (GCP). Ingesting data from these platforms is a mandatory step when
you need to have visibility across different workloads located in multiple cloud providers. This
section covers the skills necessary to plan and implement the use of data connectors for inges-
tion of data sources in Azure Defender according to the SC-200 exam outline.

Identify data sources to be ingested for Azure Defender

Azure Defender supports the integration of partner security solutions, such as vulnerability
assessment by Qualys and Rapid7. It can also integrate with the Microsoft Azure Web Applica-
tion Firewall on the Azure Application Gateway. The advantage of using this integration varies
according to the solution. For vulnerability assessment, the agent can be provisioned using the
license you already have for the product (Qualys or Rapid7). Follow these steps to access the
Security Solutions dashboard:
1. Navigate to the Azure portal by opening https://portal.azure.com.
2. In the search bar, type security, and under Services, click Security Center.
3. In Security Center main dashboard, in the Management section, click Security Solu-
tions. The Security Solutions page appears, as shown in Figure 2-7.

FIGURE 2-7 Security Solutions page with the connected solutions and available data sources

132 CHAPTER 2 Mitigate threats using Azure Defender

 The Connected Solutions section is populated according to the solutions that were already
deployed. The deployment of the solution will vary according to the vendor. For vulnerability
assessment, you will deploy the agent based on the Azure Security Center recommendation
indicating that your machine is missing a vulnerability assessment. The Add Data Source sec-
tion of this page allows you to:
■ Onboard a non-Azure machine In this scenario, you will need to select the work-
space in which the Log Analytics (LA) agent will report to, Then you will need to obtain
the workspace ID and key, deploy the agent to the server, and configure it to use the
workspace ID and key based on your workspace’s selection.
■ Connect to a SIEM platform In this scenario, you need to configure an Azure Event
Hub, stream the data from Azure Defender to this Event Hub, and configure the SIEM
to obtain the info from the Event Hub using a SIEM connector. The SIEM connector will
vary according to the supported vendor (Splunk, ArcSight, QRadar, or Palo Alto). Keep
in mind that you don’t need to use an Event Hub if you are connecting Azure Defender
with Azure Sentinel. In this case, you ust need to use the Azure Defender connector in
Azure Sentinel.
■ Azure Web Application Firewall (WAF) In this scenario, the goal is to surface the
Azure WAF logs in the Azure Defender Security Alerts Dashboard. Note that this inte-
gration only works for WAF v1.

Configure automated onboarding for Azure resources and

data collection
PaaS-related resources in Azure don’t require an agent to work, which means that as long as
you have the Azure Defender plan enabled on the subscription level, the subsequential re-
sources will automatically have Azure Defender enabled on them. For example, if the technical
requirement is to have Azure Defender for Storage enabled on all existing and new storage
accounts, you ust need to enable Azure Defender for Storage at the subscription level.
As mentioned earlier in this chapter, when dealing with Azure VMs (IaaS scenario), you will
need to install the LA Agent. For Azure VMs, this agent can be auto-provisioned based on the
auto-provisioning settings that were configured at the subscription level. To change these set-
tings, follow these steps:
1. Open Azure portal and sign in with a user who has Security Admin privileges.
2. In the left navigation menu, click Security Center.
3. In the Security Center’s left navigation menu, under Management, click the Pricing &
Settings option.
4. Click the subscription for which you want to review the auto-provisioning settings.
5. In the Settings section on the left, click Auto Provisioning. The Auto Provisioning
settings appear, as shown in Figure 2-8.

Skill 2-2: Plan and implement the use of data connectors CHAPTER 2 133
 FIGURE 2- Auto Provisioning settings in Security Center

6. In the Configuration section for the Log Analytics Agent For Azure VMs, click Edit
Configuration.
7. In the Extension Deployment Configuration blade shown in Figure 2-9, the default
setting, Connect Azure VMs To The Default Workspace(s) Created By Security
Center, allows Security Center to manage the workspace. Use this option if you can
select another workspace to be used by Security Center. This is the preferred option
when you have multiple subscriptions and want to centralize the workspace.

FIGURE 2- Options to control the workspace and data collection

134 CHAPTER 2 Mitigate threats using Azure Defender

 NOTE AUTO-PROVISIONING AGENT ON VMSS AND KUBERNETES
At the time that this book was written, the Auto-Provisioning agent was not available for
M Scale Set MSS and Azure ubernetes. To install the agent on those services, you need
to configure an Azure Policy to deploy it.

In the Store Additional Raw Data section, you can configure the level of data collection
granularity for Windows systems. Each setting will determine the type of events that will be
collected. If you are using a Group Policy Ob ect (GPO) to configure your servers where the
agent will be installed, we recommended that you enable the Process Creation Event 4688
audit policy and the CommandLine field inside event 4688. Audit Process Creation determines
whether the operating system generates audit events when a process is created (starts). Infor-
mation includes the name of the program or the user who created the process. Following is a
summary of what each option collects:
■ All Events If you select this option, all security events will be stored in your workspace.
■ Common When you select this option, only a subset of events will be stored in your
workspace. Microsoft considers these events—including login and logout events—to
provide sufficient detail to represent a reasonable audit trail. Other events, such as
Kerberos operations, security group changes, and more, are included based on industry
consensus as to what constitutes a full audit trail.
■ Minimal Choosing this setting results in the storage of fewer events than the Com-
mon setting, although we aren’t sure how many fewer events or what types of events
are omitted. Microsoft worked with customers to ensure that this configuration surfaces
enough events that successful breaches are detected and that important low-volume
events are recorded. However, logout events aren’t recorded, so it doesn’t support a
full user audit trail.
■ None This option disables security event storage.
To enable data collection for Adaptive Application Controls, Security Center configures a
local AppLocker policy in Audit mode to allow all applications. This will cause AppLocker to
generate events that are then collected and stored in your workspace. It is important to note
that this policy will not be configured on any machines on which there is already a configured
AppLocker policy. To collect Windows Filtering Platform Event ID 5156, you need to enable
the Audit Filtering Platform Connection: Auditpol /set /subcategory:"Filtering Platform
Connection" /Success:Enable.

MORE INFO WINDOWS EVENT ID

For details about the event ID that is collected for Windows, see http://aka.ms/ascdatacollection.

Skill 2-2: Plan and implement the use of data connectors CHAPTER 2 135
 Connect on-premises computers
As explained previously, VMs that are in Azure will be provisioned automatically, which means
that the monitoring agent will be automatically installed. If you need to onboard on-premises
computers, you will need to install the agent manually. Follow the steps below to onboard
non-Azure computers or VMs:
1. Open Azure portal and sign in with a user who has Security Admin privileges.
2. In the left navigation menu, click Security Center.
3. In the Security Center’s left navigation menu, under General, click the Getting Started
option and click the Get Started tab.
4. Under Add Non-Azure Computers, click the Configure button, as shown in Figure 2-10.

FIGURE 2-10 Option to onboard non-Azure computers

5. In the Add New Non-Azure Computers blade, select the workspace in which you want
to store the data from these computers, and before onboarding any computer, make sure
to click Upgrade to upgrade the Workspace to Azure Defender, as shown in Figure 2-11.

FIGURE 2-11 Upgrading the workspace to Azure Defender

136 CHAPTER 2 Mitigate threats using Azure Defender

6. If the Upgrade button did not change to + Add Servers, click the Refresh button, and
you should see the + Add Servers button, as shown in Figure 2-12. Click Add Servers
to proceed.

FIGURE 2-12 Adding servers to the workspace

7. Once you click the + Add Servers button, the Agents Management page appears,
as shown in Figure 2-13.

FIGURE 2-13 Agents Management

8. On this page, click the appropriate Windows agent (64-bit or 32-bit version). If you are
installing the agent on a Linux operating system, click the Linux Servers tab and follow
the instructions from there. Make sure to copy the Workspace ID and Primary Key
values to the clipboard; you will need those values when installing the agent on the
target system.

Skill 2-2: Plan and implement the use of data connectors CHAPTER 2 137
 9. When you finish downloading it, you can close the Security Center dashboard (close
your browser) and copy the agent installation file to a shared network location where
the client can access it.
For this example, the agent installation will be done on an on-premises Windows Server
2016 computer, though the same set of procedures apply to a non-Azure VM located in a
different cloud provider. Log in on the target system and follow the steps below to perform
the installation:
1. Double-click in the MMASetup-AMD64.exe file, and if the Open File—Security Warning
dialog appears, click Run.
2. If the User Access Control dialog appears, click Yes.
3. On the Welcome To The Microsoft Monitoring Agent Setup Wizard page, click Next.
4. Read the Microsoft License Terms and click I Agree.
5. In the Destination Folder page, leave the default selection and click Next. The Agent
Setup Options page appears, as shown in Figure 2-14.

FIGURE 2-14 Selecting the target service

6. Select Connect The Agent To Azure Log Analytics (OMS), as shown in Figure 2-14,
and click Next. The Azure Log Analytics page appears, as shown in Figure 2-15.
7. On this page, you need to enter the Workspace ID and Workspace Key that were
obtained in step 8 of the previous procedure. Notice that the primary key should be
entered in the Workspace Key field. If this computer is behind a proxy server, you need
to click the Advanced button and provide the Proxy URL and authentication if needed.
Once you finish filling in these options, click Next.

138 CHAPTER 2 Mitigate threats using Azure Defender

 FIGURE 2-15 Providing the workspace ID and primary key

8. On the Microsoft Update page, select Use Microsoft Update For Updates
(Recommended) and click Next.
9. On the Ready To Install page, review the summary field and click Install.
10. The Installing The Microsoft Monitoring Agent page appears, and the installation
proceeds.
11. Once the installation is finished, the Microsoft Monitoring Agent Configuration
Completed Successfully page appears. Click Finish.
You can also perform this installation using the command-line interface (CLI). Use the
following code:
MMASetup-AMD64.exe /Q:A /R:N /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_
WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<yourworkspaceID> OPINSIGHTS_
WORKSPACE_KEY=<yourworkspaceprimarykey> AcceptEndUserLicenseAgreement=1"

Most of the parameters that you saw in the agent installation are self-explanatory. The only
one that isn’t immediately obvious is the OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE parameter,
which is the cloud environment specification. The default is 0, which represents the Azure com-
mercial cloud. You should only use 1 if you are installing the agent in an Azure government cloud.
It can take some time for this new non-Azure computer to appear in Security Center. If you
want to validate the connectivity between this computer and the workspace, you can use the
TestCloudConnection tool. On the target computer, open the command prompt and navi-
gate to the \Program Files\Microsoft Monitoring Agent\Agent folder. From there, execute
the TestCloudConnection.exe command, and if the connectivity is working properly, you
should see all tests followed by this message: Connectivity test passed for all hosts for
workspace id <workspace id>.

Skill 2-2: Plan and implement the use of data connectors CHAPTER 2 139
 Connect AWS cloud resources
For Azure Defender to connect with AWS, the target AWS account must have AWS Security
Hub enabled on it. AWS Security Hub has a cost associated to it, which varies according to the
number of accounts and regions where it is enabled.
Once the AWS connector is operational, you will start seeing security recommendations for
AWS appearing in the Security Center Recommendations Dashboard. However, before config-
uring the AWS connector, you will need to: do the following:
1. Configure AWS Security Hub in the target account
■ Enable AWS Config with the console.
■ Enable AWS Security Hub and confirm that there is data flowing to it.
2. Configure AWS authentication, which can be by creating these roles
■ An IAM role for Security Center
■ An AWS user for Security Center
3. Regardless of the authentication method you selected previously, make sure that this
role/user has the following permissions policies:
■ SecurityAudit

■ AmazonSSMAutomationRole

■ AWSSecurityHubReadOnlyAccess

4. When configuring the Account ID in AWS, make sure to use this Microsoft Account ID
158177204117.

With those steps in place, you are ready to configure the Cloud Connector. If you also want
to onboard servers that are in AWS, you will need to ensure that the following three tasks are
done before configuring the cloud connector in Azure Defender
1. Install the AWS Systems Manager on your Servers (EC2 instance) that reside in AWS.
For instructions, see http://aka.ms/ascbookaws.
2. Configure this Server (EC2 Instance) to use Azure Arc. For instructions, see
http://aka.ms/ascbookarc.
3. In Azure, make sure to create a service principal that will be used for Azure Arc. To con-
figure that service principal, follow the steps from this article http://aka.ms/ascbookspn.
ow that all prere uisites are fulfilled, you can follow the steps below to start the configura-
tion of the AWS connector in Security Center:
1. Open Azure portal and sign in with a user who has ownership privileges in the subscription.
2. In the left navigation menu, click Security Center.

140 CHAPTER 2 Mitigate threats using Azure Defender

3. In the Security Center’s left navigation menu, under Management, click the Cloud
Connectors option and click the Connect AWS Account button. The Connect AWS
Account page appears, as shown in Figure 2-16.

FIGURE 2-16 Connect AWS Account

4. In the Basics section, type a Display Name for the connector and select the appropri-
ate Subscription from the drop-down menu.
5. In the AWS Authentication section, use the appropriate method (Assume Role if you
created a role or Credentials if you created a user). Assuming that you created a role,
the AWS Role ARN must be provided. This number is located in the summary of the
role you created in AWS. Click the Next: Azure Arc Configuration button, and the
Azure Arc Configuration tab appears, as shown in Figure 2-17.

Skill 2-2: Plan and implement the use of data connectors CHAPTER 2 141
 FIGURE 2-17 Configuring Azure Arc settings

6. Select the Resource Group and Region.

7. In the Authentication section, you need to provide the Service Principal Client ID
and the Service Principal Client Secret.
8. Click the Review + Create button and complete this operation.
9. Once you finish, you will see the connector, as shown in Figure 2-18.

FIGURE 2-1 AWS connector configured

142 CHAPTER 2 Mitigate threats using Azure Defender

 After some time, you will be able to see recommendations for your AWS account. In the
search box, you can type AWS, and you will see all AWS-related recommendations, as shown
in Figure 2-19.

FIGURE 2-1 AWS-related recommendations

At this point, your Azure Arc machines will be discovered, but you still need to install the
Log Analytics agent on those machines. There is a specific recommendation for that, as shown
in Figure 2-20.

FIGURE 2-20 Recommendation to install the Log Analytics agent on the Azure Arc machine

You can leverage the Quick Fix feature to deploy the agent to this Azure Arc machine
uickly. ou ust need to select the server and click the Remediate button. As mentioned in
the freshness interval description, it might take 24 hours for this remediation to take effect.

Connect GCP cloud resources

For Azure Defender to connect with GCP, the target GCP account must have Google Security
Command Center. Google Security Command Center has two pricing tiers: Standard (free) and
Premium (paid). The free tier includes 12 recommendations, and the premium tier includes
about 120 recommendations.

Skill 2-2: Plan and implement the use of data connectors CHAPTER 2 143
 When connecting your GCP accounts to specific Azure subscriptions, you need to take into
consideration the Google Cloud resource hierarchy. Based on this hierarchy, you can
■ Connect your GCP accounts to ASC at the organization level
■ Connect multiple organizations to one Azure subscription
■ Connect multiple organizations to multiple Azure subscriptions

IMPORTANT ALL PROJECTS ADDED

When you connect an organization, all pro ects within that organization are added to
Security Center.

Now that you understand the prerequisites, you will need to prepare the settings on GCP prior
to deploy the GCP Connector in Azure Defender. Perform the following operations in GCP:
■ Configure GCP Security Command Center.
■ Enable Security Health Analytics.
■ Enable GCP Security Command Center API.
■ Create a dedicated service account for the security configuration integration.
■ Create a private key for the dedicated service account.
With all prere uisites fulfilled, you can follow the steps below to start the configuration of
the GCP connector in Azure Defender:
1. Open Azure portal and sign in with a user who has ownership privileges in the
subscription.
2. In the left navigation menu, click Security Center.
3. In the Security Center’s left navigation menu, under Management, click the Cloud
Connectors option and click the Add AWS account button. The Connect AWS
Account page appears, as shown in Figure 2-21.

FIGURE 2-21 Connect GCP Account

4. In the Display Name field, type a name for this connector.

5. In the Subscription drop-down menu, select the Azure subscription that you want to
connect with (where the GCP recommendations will appear).

144 CHAPTER 2 Mitigate threats using Azure Defender

 6. In the Organization ID field, type your GCP organization ID.
7. In the GCP Private Key File field, browse to the SO file you created in GCP.
8. Click Next: Review And Generate, and in the Review And Generate tab, commit
the changes.
The security recommendations for your GCP resources will appear in the Security Center
Recommendations Dashboard and in the regulatory compliance dashboard between 5 and
10 minutes after the onboard process is completed. To view only the GCP recommendations,
you can also change the Environment filter in the security Recommendations Dashboard to
filter for GCP only, as shown in Figure 2-22.

FIGURE 2-22 GCP recommendations

At this point, the onboarding process for VMs located in GCP is similar to AWS. The only dif-
ference is that in AWS, the auto-discovery of Ms happens as part of the connector s configu-
ration (Arc parameters); in GCP, you will have to onboard manually (install Azure Arc on each
VM and the LA agent).

EXAM TIP
When studying for the SC-200 exam, make sure you know the exact order of operations that
must be done in AWS and CP before going to Azure Defender to configure the connectors.

Skill 2-3: Manage Azure Defender alert rules

For the Security Operations Center (SOC) to be effective, it needs to have high-level, qual-
ity data to be analyzed. For some workloads, the ingestion of raw data is desirable. However,
over time, SOC Analysts became too busy rationalizing the raw data to identify indications of
compromise. When using Azure Defender, you will take advantage of a high-level, quality alert
that already provides the needed information about an attack and how to respond to it. This
section of the chapter covers the skills necessary to manage Azure Defender alert rules accord-
ing to the Exam SC-200 outline.

Skill 2-3: Manage Azure Defender alert rules CHAPTER 2 145

Index

A creating, 231
cross-workspace, 257
Action Center, 39
customizing and optimizing, 225, 241–242
Active Directory (AD). See Azure Active Directory
versus hunting queries, 277
(AD)
Microsoft security, 227–229
Active Directory Domain Services threats, 95–99
triage incidents, 254
AD (Active Directory). See Azure Active
Directory (AD) Anomaly rules, Azure Sentinel, 221

Security Reader role, 44 anti-phishing policies

Advanced Hunting, custom detection rules, 71–78 configuring, 15–24

ADX (Azure Data Explorer), 195 impersonation protection, 14

AKS (Azure Defender for Azure Kubernetes), phishing thresholds, 15

165–166 App Service, Azure Defender for, 166–167
alert API, creating, 70 ARM (Azure Resource Manager) templates,
alerts 163–164, 171–172, 246

investigating and remediating, 35–40 attachments. See malicious attachments

responding to, 55–70 attack simulation training, 24–30

viewing on Timeline tab, 255 automated message, configuring, 160

Amazon Web Service (AWS), 132, 140–143 automated response

AML (Azure Machine Learning) workspace, ARM (Azure Resource Manager) template,
298–299 163–164

Analytics Rule Wizard, 293, 295 configuring in Azure Security Center, 154–156

analytics rules Automation page, Azure Sentinel, 237

attaching Playbooks to, 242 Auto-Provisioning agent, 135

converting hunting queries to, 292–295 AWS (Amazon Web Service), 132, 140–143

converting Livestream to, 292–294

303
Azure Active Directory (AD)

Azure Active Directory (AD) data collection and resources, 133–135

data connector, 201 data retention policies, 126–128
Identity Protection, 89–95 data sources for ingestion, 132–133
identity protection notifications, 92 for DNS, 171–172
identity protection policies, 95 enabling, 131
identity protection risks, 89–95 enabling security control, 130
MFA (multifactor authentication), 92–95 JIT (just-in-time) access feature, 181
risk policies, 92–95 for Key Vault, 170–171
Risky Sign-Ins, 90 Key Vault alerts, 179–180
risky users, 91 Log Analytics workspace, 127
role-based access control, 43 monitor pricing, 126
Security Reader role, 44 PaaS-related resources, 133
Sign-in Analysis workbook, 272 planning and configuring settings, 122–123
Sign-In Risk Policy, 94 playbooks, 156–161
User Risk Policy, 94 Pricing page for plans, 131
users at risk alerts, 91–92 recommendations, 161–163
Azure Activity data connector, 201–202 remediating incidents, 161–163
Azure Data Explorer (ADX), 195 resources and data collection, 133–135
Azure Defender retention policies, 126–128
access control, 124 roles, 124–125
accessing security contact data, 181 security alerts, 173–175
adding servers to workspace, 137 security incidents, 175–177
Agents Management, 137 Security Solutions page, 132
alert types for workloads, 164–173 for SQL, 169–170
for App Service, 166–167 for Storage, 167–168
best practices, 123 Take Action tab, 163
CLI (command-line interface) for installation, 139 target subscriptions and workspace, 122–123
Cloud Connector, 140–143 threat intelligence, 178–179
cloud workload protection, 128–130 user data discovered in investigations, 181
connecting AWS cloud resources, 140–143 VM and workspace locations, 123
connecting GCP cloud resources, 143–145 workspace control, 134
connecting on-premises computers, 136–140 workspace ID and primary key, 139

304
 Azure Sentinel

Azure Defender alert rules Azure Sentinel. See also SOAR (security
setting up email notifications, 150–151 orchestration, automation, and response)

suppression, 151–153 Access Control (IAM) for resource group, 191

validating alert configuration, 146–150 advanced visualizations, 269–271

Azure Defender for Azure Kubernetes (AKS), alerting and remediation, 237
165–166 Analytic Templates, 230
Azure Defender for Servers analytics rules, 220–227, 231
Kubernetes, 165–166 automation scenarios, 236–237
Linux, 165 and Azure Lighthouse, 187–188
Windows, 164–165 CEF and Syslog event collections, 202–205
Azure Lighthouse, 187–188 charts, 270
Azure Log Analytics, custom logs, 214–215 commitment tiers, 189
Azure Logic Apps connector-provided scheduled queries,
automation, 157–161 229–230

connector list, 236 Contributor rule, 190

custom log ingestion, 215–220 custom scheduled queries, 230–231

security incident remediation, 242–243 data analysis, 272–274

signing in to Azure Sentinel, 239 data connectors, 199–202

template deployment, 248 Data Connectors gallery, 197

Azure Machine Learning (ML) workspace, 298–299 data retention, 193

Azure Monitor, 193, 215 Data Retention settings, 194

Azure Monitor HTTP Data Collector API, 215 data sources, 195–199

Azure portal data storage, 193–195

Analytics page, 221 design considerations, 188–189

Auto Provisioning settings, 134 email connectors, 240

navigating to, 126 Entity Behavior page, 259–260

Resource Groups page, 191 EPS (events per second), 205

Azure Resource Manager (ARM) templates, Event IDS, 211

163–164, 171–172, 246 free data sources, 199
Azure Security Center GitHub repository, 243, 245
configuring automated response, 154–156 graphs, 271
Security recommendations, 130 grids, 271
Azure Security Insights, 249 guest users assigning incidents, 195

305
Azure Sentinel

Azure Sentinel (continued) tiles, 271

incident creation logic, 231 tracking incident metrics, 274–276
incidents, 249–257 triage incidents, 254–255
investigating incidents, 249–254 UEBA (user and entity behavior analytics),
investigation graphs, 251–253 257–261

KQL (Kusto Query Language), 232–235 IN USE analytic rules, 230

Livestream, 281–284 viewing and analyzing data, 272–274

and Log Analytics, 186 visualizations, 269–271

Log Analytics workspace, 189, 194 Windows Events collections, 205–211

lookback windows, 226 workbooks, 195, 262–269, 272–274

Microsoft Graph Security API, 198 workspace, 186–190, 196

multi-workspace incidents, 256–257 Azure Sentinel portal. See also threats

Outlook account, 240 custom hunting queries, 277–279

Overview page, 197 hunting bookmarks for data investigations,

288–292
permissions, 190–192
hunting queries and analytics rules, 292–295
permissions and built-in roles, 196
hunting with notebooks, 295–300
Playbooks, 195, 236–249
Livestream for hunting queries, 281–284
pricing calculator, 193
monitoring hunting queries, 281–284
query results and bookmarks, 284–288
running hunting queries, 279–280
Reader rule, 190
tracking queries with bookmarks, 284–288
Responder rule, 190
Azure WAF (Web Application Firewall), 133
responding to incidents, 255–256
Azure Web Application Firewall (WAF), 133
roles, 190–192
Azure Windows Virtual Machines, Windows
rules and data sources, 223
security event collection, 206–207
scheduled queries, 230–231
Security Events connector, 205
security operations efficiency workbooks, B
274–276
bookmarks. See also hunting bookmarks
service security, 195–196
adding to incidents, 288–290
signing in from Logic App designer, 239
exploring in investigation graph, 291–292
Syslog and CEF event collections, 202–205
promoting, 289–290
threat detection, 224–227
tracking query results, 284–288
threat intelligence connectors, 211–214

306
 EPS (events per second), Azure Sentinel

C CSPM (Cloud Security Posture Management), 128

custom logs, 214–220. See also Log Analytics
CASB (Cloud App Security Broker), 99
CWPP (Cloud Workload Protection Platform), 129
CEF and Syslog event collections, 202–205
cybersecurity awareness program, 24
charts, Azure Sentinel workbook, 270
Cloud App Security Broker (CASB), 99
cloud applications, 104 D
Cloud Connector, configuring, 140–143
data connector vs. Logic App connector, 218
Cloud Security Posture Management (CSPM), 128
data investigations, hunting bookmarks, 288–292.
Cloud Workload Protection Platform (CWPP), 129 See also investigation graphs
“collection is not detection,” 198 data loss prevention (DLP) alerts, 32–34
cost savings, looking for, 128 data protection, 30–35
Count operator, KQL, 233 Detection Rule wizard, creating, 74
credential harvesting website, 3 detections, customizing, 70–81
cross-domain incidents devices, Microsoft products for, 104
Add file has indicator, 116 DLP (data loss prevention) alerts, 32–34
Add URL/Domain Indicator, 115
Alerts view, 109
Devices tab, 108 E
Email Actions, 113 EDR (Endpoint Detection and Response), 53
email and collaboration explorer query tool, 113 email. See also spear fishing email
examining, 214–214 and Office documents, 104
File page, 116 protecting, 3
hunting query editor, 112 email alert Playbook, 237–241
Impossible Travel Activity alert, 110 email connectors, Azure Sentinel, 240
Inbox mail forwarding rule, 110 email notifications, Azure Defender alert rules,
Incident page, 108 150–151

Manage Incident, 117 Endpoint Detection and Response (EDR), 53.

See also Microsoft Defender for Endpoint
managing, 106–118
enrichment
Suspend User, 108
automation in Azure Sentinel, 237
Suspicious PowerShell Command Line alert, 111
triage incidents, 255
Threat analytics, 106–107
EOP (Exchange Online Protection), 14
URL page, 114
EPS (events per second), Azure Sentinel, 205
cross-workspace analytics rules, 257

307
event ID, collection for Windows

event ID, collection for Windows, 135

H
Event IDS, Azure Sentinel, 211
HTTP Data Collector API, 214–215
Exam Tips
hunting bookmarks, 288–292. See also bookmarks
Azure Sentinel, 256
hunting queries. See also notebooks; queries
cost savings on data, 128
converting to analytics rules, 292–295
custom workbooks, 266
customizing, 277–279
data connectors for Azure Sentinel, 198
monitoring using Livestream, 281–284
file activity store in cloud apps, 103
results on Logs page, 286
KQL queries, 232
running manually, 279–280
metrics for SOC managers and KPIs, 276
remediation activities and exceptions, 83
remediation ideas, 243 I
rights to endpoint data, 47
identity threats, identifying and responding to,
Security Operations Efficiency workbook, 275 89–95. See also Microsoft Defender for Identity
UEBA (user and entity behavior analytics), 261 impersonation protection, anti-phishing
Visualizations Demo workbook, 270 policies, 14
workbooks and KQL queries, 268 incident tab, posting comments on, 256
exceptions, creating and viewing, 88–89 incidents
Exchange Online Protection (EOP), 14 adding bookmarks, 288–290
Extend operator, KQL, 233 Azure Sentinel, 249–257
investigating and remediating, 35–37, 40
managing with Playbooks, 243–244
F multi-workspace, 256–257
Fusion rules, Azure Sentinel, 221 remediating, 161–163
responding to, 55–70
tracking metrics, 274–276
G indicators, creating, 81
GCP (Google Cloud Platform), 132, 143–145 Indicators of compromise (IOCs), 78–79
GDPR (General Data Protection Regulation), 181 insider risk, 34–35. See also risk management
General Data Protection Regulation (GDPR), 181 investigation graphs, 251–253, 291–292. See also
GitHub repository, 71 data investigations
Google Cloud Platform (GCP), 132, 143–145 IOCs (Indicators of compromise), 78–79,
graphs, Azure Sentinel workbook, 271 211–212, 214
grids, Azure Sentinel workbook, 271

308
 Microsoft 365 Defender Security portal

J queries, 71
workspace, 189, 194
JIT (just-in-time) access feature, Azure
Logic Apps
Defender, 181
automation, 157–161
JSON Request Body format, Playbooks, 219
connector list, 236
custom log ingestion, 215–220
K security incident remediation, 242–243

Key Vault, Azure Defender for, 170–171, 179–180 signing in to Azure Sentinel, 239

KQL (Kusto Query Language) template deployment, 248

Advanced Hunting, 71 Logs page, 294

analytics rule, 226

overview, 232–235
M
query time parsing, 203
Machine learning (ML) behavioral analytics, 221
workbook templates, 268
Machine Learning page, 297
Kubernetes, Azure Defender for Servers, 165–166
malicious attachments, 9–14
Kusto Query Language (KQL)
malicious spear phishing email, 2–3
Advanced Hunting, 71
MCAS (Microsoft Cloud App Security)
analytics rule, 226
admin access, 99
overview, 232–235
alerts, 102–104
query time parsing, 203
Impossible Travel Policy, 101–102
workbook templates, 268
risk domain, 104
L
threat detection policies, 99–102
labeling, 30–35
Microsoft, threat protection products, 104
Let operator, KQL, 233
Microsoft 365, anti-phishing policies, 24
Linux, Azure Defender for Servers, 165
Microsoft 365 Defender, cross-domain incidents,
Livestream
106–118
converting to analytics rule, 292–294
Microsoft 365 Defender Security portal
monitoring hunting queries, 281–284
cross-domain incidents, 105–106
Log Analytics. See also custom logs
cross-domain investigations, 104–118
agent, 203–204, 207–208
Incidents view, 56
and Azure Sentinel, 186
products, 104–105
Azure Sentinel, 193
resource, 118
gateway, 206

309
Microsoft Defender

Microsoft Defender roles, 43

Playbooks, 244–249 security tasks, 86
triggers and actions, 245 setting up for deployment, 42
Microsoft Defender Credential Guard, 87–88 setting up for subscription, 41–43
Microsoft Defender for Endpoint. See also Simulations & Tutorials, 55
Endpoint Detection and Response (EDR) Suppression Rule for alert, 62
advanced settings, 53 User Access tab, 49
alert notifications, 51–53 user groups, 46
Alert page, 60–61 Microsoft Defender for Identity. See also identity
Breach insights icon, 84 threats
Classification and Status, 59 Honeytoken configuration, 98
configuring, 41 investigating alerts, 96–98
custom detections, 70–78 portal, 99
custom indicators, 78–81 quick start guide, 95
data storage and privacy, 42 risk domain, 104
Demote Rank button, 51 Timelines, 96–97
Determination setting, 70 User Directory Data, 98
device groups, 43, 47–50 Microsoft Defender for Office 365
Device action menu, 63 alerts, 35–40
Devices tab, 68 remediation actions, 39
enabling roles, 44–45 risk domain, 104
file hash indicator, 79–81 roles, 4
File menu, 66 Safe Attachments policies, 13
incidents and alerts, 55–70 Microsoft Graph Security API, Azure Sentinel, 198
investigation graph, 65 Microsoft Intune Connection, 85
Investigation Summary, 68 Microsoft security rules, Azure Sentinel, 221
IOCs (Indicators of compromise), 78–79 Microsoft security service
Manage incident, 69 alert connector, 228
permissions, 47 analytics rules, 227–229
Promote Rank button, 51 Include/Exclude Specific Alerts, 229
Remediation Request wizard, 85 Microsoft Threat Experts (MTE) service, 64
risk domain, 104 MITRE ATT&CK, 2, 57–58, 95, 148
role-based access control, 43–51 ML (Machine learning) behavioral analytics, 221

310
 security information and event management (SIEM)

Monitoring Agent Setup Wizard, 209

Q
MTE (Microsoft Threat Experts) service, 64
queries, best practice, 73. See also hunting queries
query results, tracking with bookmarks, 284–288

N query time parsing, KQL (Kusto Query

Language), 203
notebooks, advanced hunting, 295–300. See also
hunting queries

R
O RBAC (Role–Based Access Control), 124
remediating
Office 365 roles, 4
incidents, 161–163
OfficeActivity table, 233
threats, 242–243
OMS agent, installing, 203–204
remediation, activities, and exceptions, 83–89, 237
Outlook account, signing into, 240
risk domains, 104
risk management, 34–35, 81–89. See also insider
P risk; security recommendations; vulnerability
management
PaaS-related resources, Azure, 133
role groups, 24
phishing thresholds, 15
Role–Based Access Control (RBAC), 124
Playbooks
Microsoft Defender for Endpoint, 43–51
across Microsoft Defender solutions, 244–249
roles, Office 365, 4
attaching to analytics rules, 242
Azure Defender, 156–161
Azure Sentinel, 195 S
email alert, 237–241 Saas (Software as a Service), 99–104
GitHub repository, 243 Safe Attachments policy, 9–14
JSON Request Body format, 219 Safe Links policy, configuring, 3–9
managing incidents, 243–244 Scheduled queries, Azure Sentinel, 221
remediating threats, 242–243 Secure Hash Algorithm 1 (SHA1), 63
running against alerts, 256 Security Events connector, Azure Sentinel, 205
running in Logic App Designer, 218 security incident flow diagram, 105
templates, 245–248 security information and event management
testing, 219, 241 (SIEM), 185, 235
Project operator, KQL, 233

311
security operations center (SOC)

security operations center (SOC), 145, 224

T
Security Operations Efficiency workbook, 274–276
Take operator, KQL, 233
security orchestration, automation, and response
TAXII (Trusted Automated eXchange of Indicator
(SOAR), 236–248
Information), 212–213
security recommendations, 81–89, 130. See also
Threat & Vulnerability Dashboard, 82
risk management
Threat analytics, 118
SecurityIncidents table, 250
threat intelligence, Azure Defender, 178–179
sensitivity labels, 30–32
threat protection products, 104
SHA1 (Secure Hash Algorithm 1), 63
threats. See also Azure Sentinel portal
SHA256 hash, IOCs (Indicators of compromise),
78–79 detecting, 224–227
SIEM (security information and event identifying with UEBA, 257–261
management) remediating, 242–243
solutions, 198 TI (threat intelligence), custom connectors, 211–214
translating rules to KQL, 185, 235 TI matching, triage incidents, 254
simulations. See attack simulation training tiles, Azure Sentinel workbook, 271
SOAR (security orchestration, automation, and Timeline tab, viewing alerts on, 255
response), 236–248. See also Azure Sentinel Top operator, KQL, 233
SOC (security operations center), 145, 224, 249 Trusted Automated eXchange of Indicator
Sort operator, KQL, 233 Information (TAXII), 212–213
spear fishing email, 2–3. See also email
SQL, Azure Defender for, 169–170
STIX (Structured Threat Information U
eXpression), 212 UEBA (user and entity behavior analytics), 104
Storage, Azure Defender for, 167–168 uncoder.io tool, using with SIEMs, 235
Structured Threat Information eXpression user activity, detecting, 104
(STIX), 212
user and entity behavior analytics (UEBA), 257–261
Summarize operator, KQL, 233
user data, discovery during investigation, 181
suspicious user activity, detecting, 104
Syslog and CEF event collections, 202–205

312
 Workbooks gallery

V Where operator, KQL, 233

Windows, Azure Defender for Servers, 164–165
Visualizations Demo workbook, 270
Windows Events collections, 205–211
VMSS (VM Scale Set), 135
Workbook template summary, 264
vulnerability management, 81–89. See also risk
workbooks
management
customizing, 266–269
data analysis, 272–274
W parameters, 274

WAF (Web Application Firewall), 133 Workbooks gallery

watchlists, triage incidents, 254 Azure Sentinel, 263

Web Application Firewall (WAF), 133 saving workbooks in, 265

313