12: Use Cases Flashcards
(17 cards)
What’s a common use case for Sentinel in a hybrid environment?
Aggregating logs from cloud and on-prem tools (like firewalls, Linux servers, and Active Directory) into one pane of glass for correlation and visibility.
How do customers use Sentinel for identity monitoring?
By ingesting Entra ID sign-ins and Defender for Identity alerts to detect suspicious logins, lateral movement, and account compromise.
What’s a real-world use case for automation/playbooks?
Automatically enriching an incident with VirusTotal lookups and tagging it based on risk score, then creating a ticket in ServiceNow.
How is Sentinel used in Zero Trust initiatives?
To monitor failed authentications, detect excessive access to sensitive resources, and track anomalous sign-ins across enclaves or tenants.
What’s a use case for hunting queries?
Proactively searching for signs of compromise (e.g., mimikatz artifacts, unusual PowerShell usage) that weren’t caught by rules.
How do workbooks support SOC operations?
They provide live dashboards for monitoring alerts by severity, analyst workload, data ingestion volume, or trends over time.
What’s a practical use for the MITRE ATT&CK workbook?
Mapping alerts to MITRE techniques so SOC managers can identify gaps in coverage and align defenses to known attacker TTPs.
How do customers use custom watchlists?
To track known bad IPs, VIP users, or sensitive servers—and use them in analytics rules for prioritized alerting.
What’s a use case for dynamic thresholds in analytics rules?
Detecting anomalies like “more than 3x the normal failed login attempts for this host” without setting static thresholds.
How can Sentinel help during a breach investigation?
Use the investigation graph to visualize related alerts, entities, and timeline, speeding up root cause analysis.
How is Sentinel used in compliance reporting?
Customers build workbooks to monitor control coverage, user access, and audit log activity for frameworks like NIST, PCI, or HIPAA.
What’s a use case for custom logs via AMA?
Ingesting logs from air-gapped systems, ICS/OT networks, or niche security tools not covered by a native connector.
How do customers use Sentinel for detection tuning?
By cloning built-in analytics rules, adjusting filters to reduce false positives, and tracking hit rates over time.
What’s a use case for the Content Hub?
Quickly deploying full content packages (connectors, rules, workbooks) for vendors like Palo Alto, Zscaler, or AWS—no need to start from scratch.
How is Sentinel used for executive visibility?
Workbooks summarize incidents, top threat types, and high-risk assets—used in weekly or quarterly CISO briefings.
Why would a customer use the data ingestion cost workbook?
To identify high-volume tables (like DNS or Windows events) and optimize ingestion filters to reduce costs.
What’s a use case for correlating multiple data sources?
Linking identity alerts from Entra ID with endpoint alerts from Defender and firewall logs for a complete attack picture.
