Question
What is the difference between SIEM and SOAR?
Click to reveal answer
Answer
SIEM (Sentinel) collects and analyzes security data to detect threats. SOAR (Sentinel playbooks) automates incident response with Logic Apps workflows.
Click to flip back
All Security Operations Flashcards
Q: What is the difference between SIEM and SOAR?
A: SIEM (Sentinel) collects and analyzes security data to detect threats. SOAR (Sentinel playbooks) automates incident response with Logic Apps workflows.
Q: What is a Sentinel analytic rule?
A: A scheduled or real-time KQL query that detects suspicious activity and generates security alerts/incidents for investigation.
Q: What does Defender for Cloud secure score measure?
A: A percentage representing your security posture. Higher score = more recommendations implemented. Recommendations are prioritized by potential impact.
Q: What are the types of Sentinel data connectors?
A: Service-to-service (Azure, M365), Syslog/CEF (Linux agents), REST API (custom), and Agent-based (Windows Security Events via Log Analytics agent).
Q: What is KQL used for in security?
A: Kusto Query Language queries Log Analytics and Sentinel data for threat hunting, creating analytic rules, building workbooks, and investigating incidents.