1: Core Concepts Flashcards
(14 cards)
What is Microsoft Sentinel?
A cloud-native SIEM and SOAR solution that collects, detects, investigates, and responds to threats across your environment.
What does Sentinel do with data once it’s ingested?
It stores it in Log Analytics, where it can be queried, visualized, and used for detection, investigation, and automation.
What is KQL?
Kusto Query Language—used to query log data in Sentinel (and other Azure services). Similar to SQL but optimized for time-series and log data.
What is an analytics rule?
A scheduled query that looks for suspicious patterns in your logs and generates alerts when conditions are met.
What is an incident?
A collection of related alerts grouped together by Sentinel to help analysts investigate and respond to a full attack story.
What’s the difference between an alert and an incident?
An alert is one detection firing. An incident groups alerts together—based on timing, entities, or correlation rules—for a higher-level investigation.
What is the investigation graph?
A visual tool that maps entities and alerts related to an incident, helping analysts understand relationships and attack progression.
What is the value of Sentinel if I already have Defender XDR?
Defender XDR protects Microsoft 365 data sources. Sentinel brings in everything else—from firewalls to Linux—and gives you centralized visibility, long-term retention, and custom detections across your full environment.
Where is Sentinel data stored?
In an Azure Log Analytics workspace. Each Sentinel instance is tied to one workspace.
What is the pricing model for Sentinel?
Based on data ingestion (per GB) and optional features like long-term retention or automation. Some Microsoft data sources (like M365) are free to ingest.
How does Sentinel support scaling across complex environments?
You can see what’s happening across separate workspaces or tenants (with Lighthouse) without needing to move all that data into one place. You can also use RBAC to keep access controls isolated.
How do I search logs in Sentinel?
Use KQL queries in the Logs blade to filter, explore, and visualize raw log data.
What is a workbook?
An interactive dashboard built on KQL that visualizes data—used for monitoring, investigation, or reporting.
Why should I care about the difference between alerts and incidents?
Incidents help reduce alert fatigue by grouping related alerts into a coherent investigation—less noise, more signal.
