Full Transcript

SC 100 Question 5 of 50 You have an Azure subscription. You are designing a solution that aligns with the Zero Trust Rapid Modernization Plan (RaMP). The solution must contain guidance for ransomware recovery readiness to ensure that backups are validated and secure and enable rapid recovery. Which...

SC 100 Question 5 of 50 You have an Azure subscription. You are designing a solution that aligns with the Zero Trust Rapid Modernization Plan (RaMP). The solution must contain guidance for ransomware recovery readiness to ensure that backups are validated and secure and enable rapid recovery. Which RaMP initiative should you include in the design? Your Answer modern security operations This answer is incorrect. Correct Answer data, compliance, and governance This answer is correct. Ransomware recovery readiness is a priority that is listed under the data, compliance, and governance initiative of Zero Trust RaMP. Design solutions that align with the Microsoft Cybersecurity Reference Architecture (MCRA) and Microsoft cloud security benchmark (MCSB) - Training | Microsoft Learn Microsoft Cybersecurity Reference Architectures - Security documentation | Microsoft Learn Zero Trust Rapid Modernization Plan | Microsoft Learn Question 6 of 50 You have an Azure subscription. You are designing a security solution that follows the Microsoft cloud security benchmark (MCSB). The solution must contain guidance that follows best practices related to security alerts and notifications. Which MCSB control should you include in the solution? Your Answer Logging and threat detection This answer is incorrect. Correct Answer incident Response This answer is correct. Incident Response is correct as one MCSB control used to define best practices related to security alerts and notifications. Design solutions with best practices for attack protection - Training | Microsoft Learn Overview of the Microsoft cloud security benchmark | Microsoft Learn Question 37 of 50 You have an Azure subscription that contains several web apps. All the web apps have registered DNS names with a public DNS registrar. You need to recommend a solution to ensure that when an app is decommissioned, you are alerted about any DNS entries remaining in the DNS registrar. What should you include in the recommendation? Your Answer Microsoft Defender for DNS This answer is incorrect. Correct Answer Microsoft Defender for App Service This answer is correct. Defender for App Service can identify any DNS entries remaining in the DNS registrar when an app service website is decommissioned. These are known as dangling DNS entries. When you remove a website, and you do not remove its custom domain from the DNS registrar, the DNS entry points to a non-existent resource, and the subdomain is vulnerable to a takeover. Specify security requirements for web workloads - Training | Microsoft Learn Microsoft Defender for App Service - the benefits and features - Microsoft Defender for Cloud | Microsoft Learn Question 49 of 50 You have an Azure subscription that contains a web app named WebApp1. WebApp1 uses a backend Azure SQL database named SQLdb1. You need to recommend a security solution to prevent Microsoft SQL Server administrators or privileged accounts from retrieving or reading sensitive information stored in specific database columns in SQLdb1. What should you include in the recommendation? Your Answer dynamic data masking This answer is incorrect. Correct Answer Always Encrypted This answer is correct. Always Encrypted is the correct answer, as it only permits data decryption from a client application that has access to the encryption key. Dynamic data masking is incorrect, as it does not encrypt data. TDE is used for encrypting the entire database and backups. TLS is used for encryption during transit. Design data security for Azure workloads - Training | Microsoft Learn Question 2 of 50 You have an Azure subscription and a Microsoft 365 E5 subscription. You are designing a resiliency strategy to protect against ransomware attacks. You need to recommend a solution that prevents attackers from acquiring administrative permissions and limits the scope of damage to Azure resources. What should you include in the recommendation? Your Answer Azure Backup This answer is incorrect. Correct Answer Privileged Access Management (PAM) This answer is correct. PAM should be included in a solution designed to prevent attackers from acquiring administrative permissions or rights to administer Azure resources. Azure Backup is used to protect data but is not used to control administrative permissions. Azure Update Management is used to manage operating system updates for Windows and Linux virtual machines. Security baselines can help strengthen settings on specific resources but will not prevent attackers from acquiring administrative permissions or rights. Ransomware protection - Training | Microsoft Learn Quickly configure for ransomware prevention in your organization to help stop ransomware cybercriminals. | Microsoft Learn Learn about privileged access management | Microsoft Learn Question 5 of 50 You have an Azure subscription. You are designing a resiliency strategy for ransomware attacks. The solution will use the following security risk lifecycle process: Before an incident During an incident After an incident Feedback loop During which step in the process can you identify lessons learned and integrate changes to the security processes? Your Answer After an incident This answer is incorrect. Correct Answer feedback loop This answer is correct. The security risk lifecycle process includes tasks that take place before an incident, during an incident, after an incident, and a feedback loop. Identifying lessons learned and integrating changes to the current security process are tasks that take place during the feedback loop step of the process. Support business resiliency - Training | Microsoft Learn Responding to ransomware attacks | Microsoft Learn Question 7 of 50 You have an Azure subscription. You are designing a security solution that follows the Microsoft cloud security benchmark (MCSB). The solution must contain guidance that follows best practices related to security alerts and notifications. Which MCSB control should you include in the solution? Your Answer Logging and threat detection This answer is incorrect. Correct Answer Incident Response This answer is correct. Incident Response is correct as one MCSB control used to define best practices related to security alerts and notifications. Design solutions with best practices for attack protection - Training | Microsoft Learn Overview of the Microsoft cloud security benchmark | Microsoft Learn Question 21 of 50 You have an Azure subscription. You are designing an access solution to meet the following requirements: Provide role activation based on time and approval. Use multi-factor authentication (MFA). Assign just-in-time (JIT) privileges. Monitor access rights. What should you include in the solution? Your Answer Privileged Access Management (PAM) This answer is incorrect. Correct Answer Privileged Identity Management (PIM) This answer is correct. The correct answer is PIM, as it provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions for resources. Design identity governance solutions - Training | Microsoft Learn Question 27 of 50 You have a Microsoft 365 subscription and an Azure subscription. You have devices that run either Windows, Android, or macOS. The Windows devices are deployed to Azure. You need to design a policy setting to ensure that if a new setting or existing setting is modified, the policy is marked as noncompliant. Which two effects can you use to configure the policy setting? Each correct answer presents a complete solution. Your Answer deny This answer is correct. Correct Answer append This answer is correct. deny This answer is correct. Azure Policy identifies which resources are applicable, and then evaluates resources that have not been excluded or exempt. Policy assignments with append or deny effects are considered non-compliant for existing resources when the conditions of the policy rule evaluate to TRUE. Address security and compliance requirements with Azure policy - Training | Microsoft Learn Azure Policy compliance states - Azure Policy | Microsoft Learn Question 30 of 50 You have an Azure subscription. You plan to assess and improve security based on Microsoft cloud security benchmark (MCSB) standards. You need to recommend a solution to address the PV-1: Define and establish secure configurations MCSB control. The solution must establish security standards for the implementation of new Azure resources. What should you include in the recommendation? Your Answer Just In Time provisioning This answer is incorrect. Correct Answer Azure Landing Zones This answer is correct. The PV-1: Define and establish secure configurations MCSB control defines the security configuration baselines for different resource types in the cloud. You can use Azure Landing Zones to provide a consistent and secure initial standard for when you implement a new resource. Evaluate security posture by using Microsoft Cloud Security Benchmark - Training | Microsoft Learn Microsoft cloud security benchmark - Posture and Vulnerability Management | Microsoft Learn Question 35 of 50 You have a Microsoft 365 subscription and an Azure subscription that contains devices that run Windows 11 and iOS. You are planning a solution to manage security tasks such as: Applying security baselines to devices Configuring built-in firewalls Managing device encryption What should you include in the solution? Your Answer Azure Resource Manager (ARM) This answer is incorrect. Correct Answer Microsoft Intune This answer is correct. In Intune, some common security tasks include managing software updates, encrypting hard disks, configuring built-in firewalls, etc. by using built-in policy settings. Specify requirements for mobile devices and clients - Training | Microsoft Learn Question 35 of 50 You have a Microsoft 365 subscription and an Azure subscription that contains devices that run Windows 11 and iOS. You are planning a solution to manage security tasks such as: Applying security baselines to devices Configuring built-in firewalls Managing device encryption What should you include in the solution? Your Answer Azure Resource Manager (ARM) This answer is incorrect. Correct Answer Microsoft Intune This answer is correct. In Intune, some common security tasks include managing software updates, encrypting hard disks, configuring built-in firewalls, etc. by using built-in policy settings. Specify requirements for mobile devices and clients - Training | Microsoft Learn Question 48 of 50 You have an Azure subscription and use Microsoft Purview for data governance. You need to recommend a Microsoft Purview feature that can organize data into logical categories. What should you recommend? Your Answer Data Catalog workflows This answer is incorrect. Correct Answer Data Map classification This answer is correct. Data classification in the Microsoft Purview governance portal is a way of categorizing data assets by assigning unique logical tags or classes to the data assets. When you classify data assets, you make them easier to understand, search, and govern. Classifying data assets also helps you understand the risks associated with the assets. Sensitivity labels are different from classifications. Sensitivity labels categorize assets in the context of data security and privacy, such as Highly Confidential, Restricted, Public, etc. Design a solution for data discovery and classification using Microsoft Purview - Training | Microsoft Learn Understand data classification in the Microsoft Purview governance portal | Microsoft Learn Question 50 of 50 You have an Azure subscription. You are designing a governance solution that will incorporate the Microsoft Purview governance portal to perform automated discovery for data stored throughout the cloud infrastructure. You need to describe the feature used to perform the discovery. Which feature should you describe? Your Answer Data Map This answer is incorrect. Correct Answer Data Catalog This answer is correct. Microsoft Purview Data Map is a cloud native platform as a service (PaaS) service that captures metadata about enterprise data present in on-premises and cloud-based systems. Data Map is automatically kept up-to-date by using a built-in automated scanning and classification system. Design a solution for data discovery and classification using Microsoft Purview - Training | Microsoft Learn Introduction to Microsoft Purview governance solutions | Microsoft Learn Question 1 of 50 You have an Azure subscription. You are designing a resiliency strategy for Azure resources and data based on Microsoft security best practices. You need to provide recommendations to reduce the organizational impact of ransomware attacks. Which two recommendations should you include in the solution? Each correct answer presents part of the solution. Your Answer Implement data loss protection (DLP) policies. This answer is incorrect. Refine backup and restore procedures. This answer is correct. Correct Answer Provide user education. This answer is correct. Refine backup and restore procedures. This answer is correct. Best practices for mitigating and reducing the impact of ransomware attacks include user education related to cyber-attack prevention and refining backup and restore procedures. Implementing DLP, privacy risk management, and complex passwords can be used in specific security scenarios, but do not directly reduce the impact of ransomware attacks. Question 6 of 50 You have an Azure subscription. You are designing a solution that aligns with the Zero Trust Rapid Modernization Plan (RaMP). The solution must contain guidance for ransomware recovery readiness to ensure that backups are validated and secure and enable rapid recovery. Which RaMP initiative should you include in the design? Your Answer modern security operations This answer is incorrect. Correct Answer data, compliance, and governance This answer is correct. Ransomware recovery readiness is a priority that is listed under the data, compliance, and governance initiative of Zero Trust RaMP. Design solutions that align with the Microsoft Cybersecurity Reference Architecture (MCRA) and Microsoft cloud security benchmark (MCSB) - Training | Microsoft Learn Microsoft Cybersecurity Reference Architectures - Security documentation | Microsoft Learn Zero Trust Rapid Modernization Plan | Microsoft Learn Question 7 of 50 You are designing an Azure deployment solution based upon Zero Trust implementation guidance. You plan to integrate the Rapid Modernization Plan (RaMP) initiatives into the design. Which initiative should be the top priority in the plan? Your Answer data, compliance, and governance This answer is incorrect. Correct Answer user access and productivity This answer is correct. The top priority of the RaMP initiatives is to secure user access and productivity. This includes validating trust for all identities that access apps, endpoints, and network resources. Introduction to best practices - Training | Microsoft Learn Zero Trust Guidance Center | Microsoft Learn Zero Trust Rapid Modernization Plan | Microsoft Learn Question 8 of 50 You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA). You need to recommend features that enforce least privilege access to Azure resources. Which two features should you include in the recommendation? Each correct answer presents part of the solution. Your Answer risk-based access policies This answer is correct. segmentation of the network This answer is incorrect. Correct Answer just-in-time (JIT) access This answer is correct. risk-based access policies This answer is correct. MCRA states least privileged access as one of its principles of guidance. Features that support this guidance include JIT access and risk-based access policies in Azure. Data classification is part of the Verify explicit principle, and segmentation and encryption are both part of the Assume breach principle of the MCRA technical architecture. Design solutions with best practices for capabilities and controls - Training | Microsoft Learn Developing a privileged access strategy | Microsoft Learn Microsoft Cybersecurity Reference Architectures - Security documentation | Microsoft Learn Question 21 of 50 You have a Microsoft 365 E5 subscription. You need to recommend a solution to efficiently assign user account management tasks to manage cloud resources. The solution must meet the following requirements: Support the use of Microsoft Entra Privileged Identity Management (PIM). Support access reviews. What should you include in the recommendation? Your Answer Organizational units This answer is incorrect. Correct Answer Microsoft Entra roles This answer is correct. Microsoft Entra role-based access control (Microsoft Entra RBAC) can be used to enforce best practices and meet the requirements. Microsoft Entra roles can be used to manage directory objects, such as users, groups, and applications, and also to manage Microsoft 365 services, such as Microsoft Exchange Online, SharePoint Online, and Intune. Roles support the use of PIM and access reviews. Design cloud, hybrid and multicloud access strategies (including Azure AD) - Training | Microsoft Learn Best practices for Microsoft Entra roles - Microsoft Entra | Microsoft Learn Question 29 of 50 You have a multi-cloud environment that contains an Azure subscription and an Amazon Web Services (AWS) account. You are designing Microsoft Defender for Cloud implementation. You plan to use cloud security explorer to build queries to hunt for security risks in both cloud environments. You need to identify which Microsoft Defender plan is needed to provide the full benefits of cloud security explorer. What should you identify? Your Answer Microsoft Defender for Servers Plan 1 This answer is incorrect. Correct Answer Defender Cloud Security Posture Management (CSPM) This answer is correct. CSPM in Defender for Cloud provides you with hardening guidance that helps you efficiently and effectively improve your security. The Defender CSPM plan also offers extra protections for your environments, such as governance, regulatory compliance, cloud security explorer, attack path analysis, and agentless scanning for machines. Evaluate security posture by using Microsoft Defender for Cloud - Training | Microsoft Learn Build queries with cloud security explorer - Microsoft Defender for Cloud | Microsoft Learn Question 32 of 50 You have an Azure subscription and a Microsoft 365 E5 subscription. You are designing a set of recommendations to help your organization identify and reduce the risks of an attack. You use Microsoft Secure Score to measure the security posture of the organization. You plan to enable Security defaults to increase the Secure Score. Which three actions are awarded full points if Security defaults is enabled in Microsoft Entra ID? Each correct answer presents a complete solution. Your Answer Enable Microsoft Entra ID Protection sign-in risk policies. This answer is incorrect. Enable Conditional Access policies to block legacy authentication. This answer is correct. Ensure that multi-factor authentication (MFA) is enabled for all users. This answer is correct. Correct Answer Enable Conditional Access policies to block legacy authentication. This answer is correct. Ensure that multi-factor authentication (MFA) is enabled for all users. This answer is correct. Ensure that multi-factor authentication (MFA) is enabled for all users in administrative roles. This answer is correct. If you enable Security defaults, Secure Score awards you with full points for the following recommended actions: Ensure that MFA is enabled for all users (9 points). Ensure that MFA is enabled for all users in administrative roles (10 points). Enable Conditional Access policies to block legacy authentication (7 points). Examine Microsoft Secure Score - Training | Microsoft Learn Question 35 of 50 You have a Microsoft 365 E5 license and an Azure subscription. You have devices that run either Windows, Android, iOS/iPadOS, or macOS. The Windows devices are Microsoft Entra joined. You need to design a security solution to meet the following requirements: Control device features. Validate the compliance health of the devices. Remotely lock, restart, locate, or restore a device to factory settings. What should you include in the solution? Your Answer Windows Autopilot This answer is incorrect. Correct Answer Microsoft Intune This answer is correct. Intune is the correct answer, as it supports the required activities on all the platforms. Windows Autopilot is a deployment collection of technologies to set up and preconfigure Windows devices but not for remote management. Defender for Endpoint helps enterprise networks prevent, detect, investigate, and respond to advanced threats. Lifecycle Workflows is used to automate Microsoft Entra user lifecycle processes. Specify requirements for mobile devices and clients - Training | Microsoft Learn Question 38 of 50 You have an Azure subscription that contains a web app named WebApp1. You are designing a security baseline for WebApp1 based on the Microsoft Cybersecurity Reference Architecture (MCRA) and the Microsoft cloud security benchmark (MCSB). You need to specify tasks to address the following posture and vulnerability management controls: PV-2: Audit and enforce secure configurations PV-7: Conduct regular red team operations Which two tasks should you include in the design? Each correct answer presents part of the solution. Your Answer Conduct regular penetration testing. This answer is correct. Enable resource logs. This answer is incorrect. Correct Answer Conduct regular penetration testing. This answer is correct. Turn off remote debugging. This answer is correct. Turn off remote debugging and regular penetration testing are the correct answers as part of the posture and vulnerability management guidance. Backup and Restore is incorrect as it does not help improve the security posture or vulnerability. Enable resource logs is part of logging and threat detection guidance. Azure Key Vault is incorrect, as it is used for data protection. Specify security requirements for web workloads - Training | Microsoft Learn Question 44 of 50 You have a Microsoft 365 subscription and an Azure subscription. The Azure subscription contains more than 100 applications. You are designing a solution to secure application management. The solution must meet the following requirements: Detect unusual behavior. Inventory existing application deployments. Identify unauthorized applications running in the environment. Ensure that the applications meet relevant compliance requirements. What should you include in the solution? Your Answer Microsoft Defender for Endpoint This answer is incorrect. Correct Answer Microsoft Defender for Cloud Apps This answer is correct. Defender for Cloud Apps can identify your organization's cloud apps, infrastructure as a service (IaaS) service, and platform as a service (PaaS) service. The solution can investigate usage patterns and assess the risk levels and business readiness of more than 31,000 software as a service (SaaS) apps against more than 80 risks. The solution can detect unusual behavior across cloud apps to identify ransomware, compromised users, or rogue applications, analyze high-risk usage, and remediate automatically to limit risks to the organization. Evaluate security posture of existing application portfolios - Training | Microsoft Learn Best practices for protecting your organization - Microsoft Defender for Cloud Apps | Microsoft Learn Question 45 of 50 You have an Azure subscription that contains a web app named WebApp1. You plan to implement dynamic application security testing (DAST) as a practice to enhance security and detect vulnerabilities during the app development process. You need to recommend a tool that supports the DAST process. What should you recommend? Your Answer SonarCloud This answer is incorrect. Correct Answer OWASP Zed Attack Proxy (ZAP) This answer is correct. OWASP ZAP is the correct answer, as it supports DAST and full app scanning. SonarCloud is incorrect as it is a static application security testing (SAST) solution and does not perform full scanning for running apps. Azure Policy is incorrect, as it does not perform full scanning. Mend (formerly WhiteSource) is a dependency management tool but does not provide full app scanning. Design and implement standards to secure application development - Training | Microsoft Learn Question 50 of 50 You have an Azure subscription. You are designing a governance solution that will incorporate the Microsoft Purview governance portal to perform automated discovery for data stored throughout the cloud infrastructure. You need to describe the feature used to perform the discovery. Which feature should you describe? Your Answer Data Estate Insights This answer is incorrect. Correct Answer Data Catalog This answer is correct. Microsoft Purview Data Map is a cloud native platform as a service (PaaS) service that captures metadata about enterprise data present in on-premises and cloud-based systems. Data Map is automatically kept up-to-date by using a built-in automated scanning and classification system. Design a solution for data discovery and classification using Microsoft Purview - Training | Microsoft Learn Introduction to Microsoft Purview governance solutions | Microsoft Learn You are planning to migrate from an on-premises network to an Azure tenant. You are designing a migration plan based on the Microsoft Well-Architected Framework. The plan must integrate a strategy that ensures a consistent set of controls to intercept authentication requests for Azure resources. Which strategy should you include in the design? Your Answer Establish a monitoring strategy. This answer is incorrect. Correct Answer Establish a modern perimeter. This answer is correct. Establishing a modern perimeter is the correct answer as it is one of the key strategies that defines a perimeter design based on intercepting authentication requests versus intercepting network traffic. Modernizing the infrastructure and application security is another key strategy but is related to operating systems and infrastructure services. Design solutions that align with the Cloud Adoption Framework (CAF) and Well- Architected Framework (WAF) - Training | Microsoft Learn Define a security strategy - Cloud Adoption Framework | Microsoft Learn Question 11 of 50 You are designing an Azure deployment. You need to recommend an architecture model that meets the following requirements: Uses subscriptions to isolate and scale application resources and platform resources Aligns with the Microsoft Cloud Adoption Framework for Azure Can be managed by one or more central teams What should you include in the recommendation? Your Answer management groups This answer is incorrect. Correct Answer Azure landing zones This answer is correct. Subscriptions for application resources are called application landing zones, and subscriptions for platform resources are called platform landing zones. Platform landing zones are used to deploy subscriptions to provide centralized services, often operated by a central team, or a number of central teams split by function (e.g., networking, identity), which will be used by various core workloads and applications. Application landing zones are one or more subscriptions deployed as an environment for an application or workload. Introduction to Azure Landing Zones - Training | Microsoft Learn Azure landing zone design areas - Cloud Adoption Framework | Microsoft Learn Question 13 of 50 You implement Microsoft Sentinel workspaces in a multi-tenant configuration. You need to recommend a solution to access and manage the Microsoft Sentinel workspaces in each tenant. The solution must not require the use of different accounts. What should you include in the recommendation? Your Answer a Log Analytics workspace This answer is incorrect. Correct Answer Azure Lighthouse This answer is correct. Azure Lighthouse is the correct answer as it allows the onboarding of different tenants to a central location and from there provides access to different Microsoft Sentinel workspaces without using a different account. Defender for Cloud, a Log Analytics workspace, and Azure Monitor do not allow you to use the same account when access to different tenants is needed. Create and manage Microsoft Sentinel workspaces - Training | Microsoft Learn Manage multiple Microsoft Sentinel workspaces - Training | Microsoft Learn Question 14 of 50 You have an Azure subscription. You plan to implement Microsoft Sentinel as part of a security orchestration automated response (SOAR) solution. You need to recommend a Microsoft Sentinel feature that can perform the following tasks: Triage new incidents and change the incident status from New to Active. Inspect the content of an incident and take further action. Assign an owner to an incident. What should you recommend? Your Answer playbooks This answer is incorrect. Correct Answer automation rules This answer is correct. Automation rules is the correct answer as they are used to inspect the contents of an incident (alerts, entities, and other properties) and take further action by calling a playbook. A playbook is incorrect as it is a collection of remediation actions that you run from Microsoft Sentinel as a routine. A condition is part of an automation rule. A trigger is used to start an automation rule when an incident is created or updated, or when an alert is created. Design a solution for security orchestration, automation, and response (SOAR) - Training | Microsoft Learn Automate threat response in Microsoft Sentinel with automation rules | Microsoft Learn Question 15 of 50 You are designing a centralized logging and threat detection solution for an Azure environment. You need to ensure that the solution uses the following controls: Centralize security log management and analysis. Enable logging for security investigation. Configure log storage retention. What should you base the solution on? Your Answer Microsoft Cybersecurity Reference Architectures (MCRA) This answer is incorrect. Correct Answer Microsoft cloud security benchmark (MCSB) This answer is correct. MCSB controls for logging and threat detection are controls for detecting threats on the cloud, and enabling, collecting, and storing audit logs for cloud services. These services include enabling detection, investigation, and remediation processes with controls to generate high-quality alerts with native threat detection in cloud services. Design centralized logging and auditing - Training | Microsoft Learn Microsoft cloud security benchmark - Logging and threat detection | Microsoft Learn Question 17 of 50 You have a Microsoft 365 E5 subscription and an Azure subscription. The subscriptions include Microsoft Defender for Cloud and Microsoft Sentinel. You are designing a security operations solution to ensure that all logs collected by Defender for Cloud can also be ingested and used by Microsoft Sentinel. You need to recommend best practice guidance when creating the Log Analytics workspaces used for Microsoft Sentinel. Which two best practices should you recommend? Each correct answer presents a complete solution. Your Answer Apply a resource lock to the Log Analytics workspace that you intend to leverage for Microsoft Sentinel. This answer is incorrect. Use a dedicated workspace cluster for Microsoft Sentinel if your projected data ingestion is more than 1 TB per day. This answer is correct. Correct Answer Use a dedicated workspace cluster for Microsoft Sentinel if your projected data ingestion is more than 1 TB per day. This answer is correct. Use the same workspace for both Microsoft Sentinel and Defender for Cloud. This answer is correct. Do not apply a resource lock to a Log Analytics workspace that you will use for Microsoft Sentinel. A resource lock on a workspace can cause many Microsoft Sentinel operations to fail. Below are the technical best practices for creating a workspace: When naming your workspace, include Microsoft Sentinel or some other indicator in the name, so that it is easily identified among your other workspaces. Use the same workspace for both Microsoft Sentinel and Defender for Cloud, so that all logs collected by Defender for Cloud can also be ingested and used by Microsoft Sentinel. The default workspace created by Defender for Cloud will not appear as an available workspace for Microsoft Sentinel. Use a dedicated workspace cluster if your projected data ingestion is 1 TB or more per day. A dedicated cluster enables you to secure resources for Microsoft Sentinel data, which enables better query performance for large datasets. Dedicated clusters also provide the option for more encryption and control of your organization's keys. Design security information and event management (SIEM) solutions - Training | Microsoft Learn Best practices for Microsoft Sentinel | Microsoft Learn Question 18 of 50 You have an Active Directory Domain Services (AD DS) forest. You are designing recommendations for securing the AD DS attack surface. You plan to include a description of default rights and permissions for high- privileged groups. You need to describe groups that permit members to add or remove domains. Which groups should you describe? Your Answer Enterprise Admins and Domain Admins only This answer is incorrect. Correct Answer Enterprise Admins only This answer is correct. Members of the Enterprise Admins group are granted rights and permissions that allow them to implement forest-wide changes that affect all domains in the forest, such as adding or removing domains, establishing forest trusts, or raising forest functional levels. Specify requirements to secure Active Directory Domain Services (AD DS) - Training | Microsoft Learn Reducing the Active Directory Attack Surface | Microsoft Learn Question 25 of 50 Your company has a Microsoft 365 E5 and an Azure subscription. You are planning a security solution that will contain guidance for compliance management. You need to recommend a solution to help reduce the complexity and length of time it takes to find and manage personal data when requested by a user. What should you include in the recommendation? Your Answer Microsoft Purview eDiscovery This answer is incorrect. Correct Answer Microsoft Priva subject rights requests This answer is correct. The Microsoft Priva Subject Rights Requests solution is designed to help alleviate the complexity and length of time involved in responding to data subject inquires. Subject rights requests provide automation, insights, and workflows to help organizations fulfill requests more confidently and efficiently. Address privacy requirements with Microsoft Priva - Training | Microsoft Learn Question 29 of 50 You have an Azure subscription. You plan to assess and improve security based on Microsoft cloud security benchmark (MCSB) standards. You need to recommend a solution to address the PV-1: Define and establish secure configurations MCSB control. The solution must establish security standards for the implementation of new Azure resources. What should you include in the recommendation? Your Answer Azure Automation State Configuration This answer is incorrect. Correct Answer Azure Landing Zones This answer is correct. The PV-1: Define and establish secure configurations MCSB control defines the security configuration baselines for different resource types in the cloud. You can use Azure Landing Zones to provide a consistent and secure initial standard for when you implement a new resource. Evaluate security posture by using Microsoft Cloud Security Benchmark - Training | Microsoft Learn Microsoft cloud security benchmark - Posture and Vulnerability Management | Microsoft Learn Question 32 of 50 You have a multi-cloud infrastructure that contains an Azure subscription and an Amazon Web Services (AWS) account. You plan to implement Microsoft Defender for Cloud and enable the following capabilities: Attack path analysis Security governance Multicloud coverage Cloud security explorer Centralized policy management Which two capabilities are included for free in the Foundational cloud security posture management (CSPM) plan? Each correct answer presents part of the solution. Your Answer cloud security explorer This answer is incorrect. Security governance This answer is incorrect. Correct Answer Centralized policy management This answer is correct. Multicloud coverage This answer is correct. Defender for Cloud includes Foundational CSPM capabilities for free. This includes Mulitcloud coverage and Centralized policy management. All other capabilities listed are part of a paid CSPM Defender plan. Design integrated posture management and workload protection - Training | Microsoft Learn What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn Question 34 of 50 You have an Azure subscription. You are creating a design document that describes the implementation process for Azure Bastion. You need to include prerequisite details for the Azure Bastion deployment. What should you include in the document? Your Answer Create a subnet named AzureBastionSubnet and a subnet address range of /26 or smaller. This answer is incorrect. Correct Answer Create a subnet named AzureBastionSubnet and a subnet address range of /26 or larger. This answer is correct. When deploying Azure Bastion, you must create a custom subnet by using the following values: The subnet name must be AzureBastionSubnet. The subnet must be at least /26 or larger (/26, /25, /24, etc.) to accommodate the features available in the Standard SKU. Design a solution for secure remote access - Training | Microsoft Learn Tutorial: Deploy Bastion using specified settings: Azure portal | Microsoft Learn Question 35 of 50 You have an Azure subscription. You are designing an IoT workload for Azure that will incorporate the following: Passwordless or multi-factor authentication (MFA) A process to assess device vulnerabilities and build ongoing risk profiles You need to ensure that your design follows the Microsoft Azure Well- Architected Framework security architecture for IoT. Which two design principles are covered by the design? Each correct answer presents a part of the solution. Your Answer device health This answer is correct. least privilege This answer is incorrect. Correct Answer device health This answer is correct. strong identity This answer is correct. For the Azure Well-Architected Framework, five pillars of architectural excellence underpin the IoT workload design methodology. These pillars serve as a compass for subsequent design decisions across the key IoT design areas: strong identity, least privilege, device health, device update, and monitor system security/plan incident response. The requirement of using passwordless or MFA falls under the strong identity pillar. The requirements of incorporating a process to assess device vulnerabilities and build ongoing risk profiles falls under the device health pillar. Specify internet of things (IoT) and embedded device security requirements - Training | Microsoft Learn Security in your IoT workload - Microsoft Azure Well-Architected Framework | Microsoft Learn Device configuration best practices for Azure IoT Hub | Microsoft Learn Question 36 of 50 Your company has many connected operational technology (OT) devices. You have an Azure subscription. You plan to incorporate the OT devices by implementing the following components: Agentless device monitoring The Azure portal to view data from all connected sensors You need to recommend a solution to incorporate the OT devices into Azure processes. What should you include in the recommendation? Your Answer Microsoft Defender for APIs This answer is incorrect. Correct Answer Microsoft Defender for IoT This answer is correct. To fully monitor a network, you need visibility of all the endpoint devices on the network. Defender for IoT mirrors the traffic that moves through your network devices to Defender for IoT network sensors. If your IoT and OT devices do not have embedded security agents, they can remain unpatched, misconfigured, and invisible to IT and security teams. Defender for IoT uses agentless monitoring to provide visibility and security across a network and identifies specialized protocols, devices, or machine-to-machine (M2M) behaviors. Secure operational technology (OT) and industrial control systems (ICS) with Microsoft Defender for IoT - Training | Microsoft Learn Prepare an OT site deployment - Microsoft Defender for IoT | Microsoft Learn What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn Question 38 of 50 You have a newly deployed Azure infrastructure. You are designing a security model that outlines the division of responsibility for cloud services. You need to describe a cloud service model that requires your full responsibility for securing operating systems and network controls. Which cloud service model should you include in the design? Your Answer platform as a service (PaaS) This answer is incorrect. Correct Answer Infrastructure as a service (IaaS) This answer is correct. IaaS is a cloud service model where the provider delivers and manages the basic infrastructure, such as the servers, storage, and network. The provider is responsible for the security of the physical infrastructure and the virtualization layer. The customer must manage the security of its own identity and access management, operating systems, data encryption, network security, and application security. SaaS is a cloud service model where the provider delivers and manages the entire software application. PaaS is a cloud service model where the provider delivers and manages the platform and tools for developing and hosting applications. FaaS is a cloud service model where the provider delivers and manages the execution of discrete functions or code snippets. Introduction to security for SaaS, PaaS, and IaaS - Training | Microsoft Learn Shared responsibility in the cloud - Microsoft Azure | Microsoft Learn ++++++++++++++++ Q1 Your company has a Microsoft 365 ES subscription. The Chief Compliance Officer plans to enhance privacy management in the working environment. You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements: ✑ Identify unused personal data and empower users to make smart data handling decisions. ✑ Provide users with notifications and guidance when a user sends personal data in Microsoft Teams. ✑ Provide users with recommendations to mitigate privacy risks. What should you include in the recommendation? A communication compliance in insider risk management B Microsoft Viva Insights C Privacy Risk Management in Microsoft Priva D Advanced eDiscovery Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you: Detect overexposed personal data so that users can secure it. Spot and limit transfers of personal data across departments or regional borders. Help users identify and reduce the amount of unused personal data that you store. https://learn.microsoft.com/en-us/privacy/priva/risk-management - This is primarily aimed at employee productivity and well-being insights, not specific data privacy management. D) **Advanced eDiscovery:** - This is more about data discovery for legal and compliance purposes, particularly in response to investigations or litigation. It is not designed specifically to manage ongoing privacy risks or provide user guidance on handling personal data. Thus, **Privacy Risk Management in Microsoft Priva** is the most appropriate tool to recommend given the specified requirements. Correct Answer: C Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you: Detect overexposed personal data so that users can secure it. Spot and limit transfers of personal data across departments or regional borders. Help users identify and reduce the amount of unused personal data that you store. Incorrect: Not B: Microsoft Viva Insights provides personalized recommendations to help you do your best work. Get insights to build better work habits, such as following through on commitments made to collaborators and protecting focus time in the day for uninterrupted, individual work. Not D: The Microsoft Purview eDiscovery (Premium) solution builds on the existing Microsoft eDiscovery and analytics capabilities. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, analyze, review, and export content that's responsive to your organization's internal and external investigations. Reference: https://docs.microsoft.com/en-us/privacy/priva/risk-management ===================== You have an Azure subscription that has Microsoft Defender for Cloud enabled. Suspicious authentication activity alerts have been appearing in the Workload protections dashboard. You need to recommend a solution to evaluate and remediate the alerts by using workflow automation. The solution must minimize development effort. What should you include in the recommendation? A Azure Monitor webhooks B Azure Event Hubs C Azure Functions apps D Azure Logics Apps D The workflow automation feature of Microsoft Defender for Cloud feature can trigger Logic Apps on security alerts, recommendations, and changes to regulatory compliance. Note: Azure Logic Apps is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems. With this platform, you can quickly develop highly scalable integration solutions for your enterprise and business-to-business (B2B) scenarios. Incorrect: Not C: Using Azure Functions apps would require more effort. Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow- automation D is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow- automation Every security program includes multiple workflows for incident response. These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. Security experts recommend that you automate as many steps of those procedures as you can. Automation reduces overhead. It can also improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements. This feature can trigger consumption logic apps on security alerts, recommendations, and changes to regulatory compliance. For example, you might want Defender for Cloud to email a specific user when an alert occurs. You'll also learn how to create logic apps using Azure Logic Apps. ============== Q3 Your company is moving a big data solution to Azure. The company plans to use the following storage workloads: A.Azure Storage blob containers B.Azure Data Lake Storage Gen2 C.Azure Storage file shares D,Azure Disk Storage Which two storage workloads support authentication by using Azure Active Directory (Azure AD)? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. CD C: Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. You can scope access to Azure blob resources at the following levels, beginning with the narrowest scope: * An individual container. At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata. * The storage account. * The resource group. * The subscription. * A management group. D: You can securely access data in an Azure Data Lake Storage Gen2 (ADLS Gen2) account using OAuth 2.0 with an Azure Active Directory (Azure AD) application service principal for authentication. Using a service principal for authentication provides two options for accessing data in your storage account: A mount point to a specific file or path Direct access to data - Incorrect: Not A: To enable AD DS authentication over SMB for Azure file shares, you need to register your storage account with AD DS and then set the required domain properties on the storage account. To register your storage account with AD DS, create an account representing it in your AD DS. Reference: https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure- active-directory https://docs.microsoft.com/en-us/azure/databricks/data/data- sources/azure/adls-gen2/azure-datalake-gen2-sp-access The correct answers are: C) **Azure Storage blob containers** and D) **Azure Data Lake Storage Gen2** Here's an explanation for why these options are correct: ### C) Azure Storage blob containers Azure Storage blob containers support authentication using Azure Active Directory (Azure AD). This allows you to control access to the blob storage by leveraging identity management through Azure AD. This integration helps you ensure that only authenticated and authorized users can access the storage resources, providing robust access control and security features. ### D) Azure Data Lake Storage Gen2 Azure Data Lake Storage Gen2 is built on top of Azure Storage blob containers and inherits its security capabilities, including Azure AD authentication. With Azure AD integration, you can manage and secure access to your data lake with fine-grained permissions using Azure AD credentials, ensuring that your data remains secure and access is controlled reliably. ### Why the other options are not correct: A) **Azure Storage file shares** Azure Storage file shares typically use user-delegation via shared access signatures (SAS) or specific account keys rather than direct Azure AD authentication. While there are integrations and ways to use Active Directory Domain Services (AD DS) with Azure file shares, it's generally more complex and isn't directly referred to as Azure AD authentication. B) **Azure Disk Storage** Azure Disk Storage also does not natively support direct Azure AD authentication. Disk access permissions are usually managed through role- based access control (RBAC) at the level of the virtual machines they are attached to. Direct authentication of disk storage via Azure AD is not a standard feature. By understanding the integrations and authentication mechanisms available for different Azure storage solutions, it's easier to deploy and manage them securely within your enterprise environment. ================ Q4 HOTSPOT - Your company is migrating data to Azure. The data contains Personally Identifiable Information (PII). The company plans to use Microsoft Information Protection for the PII data store in Azure. You need to recommend a solution to discover PII data at risk in the Azure resources. What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Box 1: Azure Purview - Microsoft Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Microsoft Purview allows you to: Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Enable data curators to manage and secure your data estate. Empower data consumers to find valuable, trustworthy data. Box 2: Microsoft Defender for Cloud Microsoft Purview provides rich insights into the sensitivity of your data. This makes it valuable to security teams using Microsoft Defender for Cloud to manage the organization's security posture and protect against threats to their workloads. Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments. The integration with Microsoft Purview expands visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data. References: https://docs.microsoft.com/en-us/azure/purview/overview https://docs.microsoft.com/en-us/azure/purview/how-to-integrate-with-azure- security-product ============= Q5 You have a Microsoft 365 E5 subscription and an Azure subscription. You are designing a Microsoft deployment. You need to recommend a solution for the security operations team. The solution must include custom views and a dashboard for analyzing security events. What should you recommend using in Microsoft Sentinel? A notebooks B playbooks C workbooks D threat intelligence After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use built-in workbooks or create a new workbook easily, from scratch or based on an existing workbook. Reference: https://docs.microsoft.com/en-us/azure/sentinel/get-visibility Absolutely, let's dive into the chosen answer: The correct option is: C) workbooks **Explanation:** - **Workbooks** are an essential feature in Microsoft Sentinel designed to provide rich visualizations and custom views for analyzing data. They allow you to combine text, metrics, and data from various sources into one unified view, which is particularly valuable for security operations teams needing to analyze security events. - Workbooks are highly customizable and provide interactive reports that can be adjusted to fit specific needs. They can incorporate data from Azure Monitor and other log sources, making them a versatile tool for security monitoring and analysis within Microsoft Sentinel. **Why Not the Other Options:** - **A) notebooks:** Notebooks in Microsoft Sentinel are used for advanced data analysis and machine learning. They offer a powerful, code-based interface for analysts who need to run complex queries and create sophisticated analysis models. However, they are not primarily designed for creating dashboards and custom views suitable for a wider security operations team. - **B) playbooks:** Playbooks are automated workflows built on Azure Logic Apps. They are used for incident response and automation tasks but not for creating visual dashboards or custom views. - **D) threat intelligence:** Threat intelligence in Microsoft Sentinel is used to ingest and utilize data on known threats and attack patterns. While it is a crucial part of a comprehensive security strategy, it does not provide the visualization and custom dashboard creation capabilities that workbooks offer. Thus, for the specific requirement of creating custom views and dashboards to analyze security events, workbooks are the appropriate solution within Microsoft Sentinel. ============= Q6 Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity. You are informed about incidents that relate to compromised identities. You need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered. Which Defender for Identity feature should you include in the recommendation? A sensitivity labels B custom user tags C standalone sensors D honeytoken entity tags D Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert. Incorrect: Not B: custom user tags - After you apply system tags or custom tags to users, you can use those tags as filters in alerts, reports, and investigation. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-identity/ entity-tags The correct answer is D) honeytoken entity tags. **Explanation:** Honeytoken entity tags are a feature in Microsoft Defender for Identity that allows you to create decoy accounts (known as honeytokens). These are fake accounts that have no legitimate purpose in your environment and are designed specifically to detect malicious activity. When an attacker attempts to exploit such an account, the system will automatically generate an alert. Here’s why honeytoken entity tags are the correct choice: 1. **Purpose-Built for Detection**: Honeytoken entities are specifically designed for the purpose of acting as traps for attackers. They help detect malicious activities by attracting attackers to interact with these decoy accounts, thus revealing their presence and tactics. 2. **Immediate Alerts**: When attackers attempt to use or compromise these accounts, security teams receive immediate alerts. This enables a swift response to potential security threats. 3. **Visibility into Attack Patterns**: Using honeytoken entity tags helps organizations gain insights into attack patterns and methods used by attackers without compromising real user accounts. **Other Options:** A) **Sensitivity labels**: Sensitivity labels are primarily used to classify and protect data based on its sensitivity. They do not serve the purpose of detecting compromised identities or triggering alerts when accounts are exploited. B) **Custom user tags**: Custom user tags are used to manage and organize users within Defender for Identity, but they do not provide the functionality to act as decoys or trigger alerts upon being exploited. C) **Standalone sensors**: Standalone sensors are used for monitoring network traffic and activities but are not designed for creating decoy accounts or directly generating alerts based on the exploitation of those accounts. Therefore, the honeytoken entity tags feature is the most appropriate solution as it is designed to expose accounts for attackers to exploit and trigger alerts when this happens, addressing the specified requirement effectively. ============= Q7 Your company is moving all on-premises workloads to Azure and Microsoft 365. You need to design a security orchestration, automation, and response (SOAR) strategy in Microsoft Sentinel that meets the following requirements: ✑ Minimizes manual intervention by security operation analysts ✑ Supports triaging alerts within Microsoft Teams channels What should you include in the strategy? A KQL B playbooks C data connectors D workbooks B Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, a cloud service that helps you schedule, automate, and orchestrate tasks and workflows across systems throughout the enterprise. A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively. Incorrect: Not A: Kusto Query Language is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. The query uses schema entities that are organized in a hierarchy similar to SQL's: databases, tables, and columns. Not D: Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences. Workbooks allow users to visualize the active alerts related to their resources. Reference: https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with- playbooks https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/ workbooks-overview The correct answer is B) playbooks. **Explanation:** 1. **Minimizes manual intervention by security operation analysts**: - Playbooks in Microsoft Sentinel enable automation of incident response actions by linking various security tools and services together using logic apps. This significantly reduces the need for manual intervention, as the responses to detected threats can be automated. 2. **Supports triaging alerts within Microsoft Teams channels**: - Playbooks can also be configured to send alerts and notifications to Microsoft Teams channels. This facilitates the quick triaging and collaborative handling of incidents since the alerts are directly fed into the communication platform used by security teams. **Alternative Options Explanation:** - **A) KQL (Kusto Query Language)**: - KQL is primarily used for querying and analyzing log data within Microsoft Sentinel, not for orchestrating responses or automating tasks. - **C) data connectors**: - Data connectors are used for importing and integrating different sources of data into Microsoft Sentinel. While crucial for gathering information, they do not address the automation of response actions or alert triaging. - **D) workbooks**: - Workbooks are used for data visualization and reporting within Microsoft Sentinel. They help in monitoring and analyzing data, but they do not contribute to response automation or alert triaging in Microsoft Teams channels. Thus, playbooks are the most fitting option as they directly address the needs for automation and integration with Microsoft Teams. ================== Q8 You have an Azure subscription that contains virtual machines, storage accounts, and Azure SQL databases. All resources are backed up multiple times a day by using Azure Backup. You are developing a strategy to protect against ransomware attacks. You need to recommend which controls must be enabled to ensure that Azure Backup can be used to restore the resources in the event of a successful ransomware attack. Which two controls should you include in the recommendation? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A Enable soft delete for backups. B Require PINs for critical operations. C Encrypt backups by using customer-managed keys (CMKs). D Perform offline backups to Azure Data Box. E Use Azure Monitor notifications when backup configurations change. BE Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN before modifying online backups. Your backups need to be protected from sophisticated bot and malware attacks. Permanent loss of data can have significant cost and time implications to your business. To help protect against this, Azure Backup guards against malicious attacks through deeper security, faster notifications, and extended recoverability. For deeper security, only users with valid Azure credentials will receive a security PIN generated by the Azure portal to allow them to backup data. If a critical backup operation is authorized, such as ‫ג‬€delete backup data,‫ג‬€ a notification is immediately sent so you can engage and minimize the impact to your business. If a hacker does delete backup data, Azure Backup will store the deleted backup data for up to 14 days after deletion. E: Key benefits of Azure Monitor alerts include: Monitor alerts at-scale via Backup center: In addition to enabling you to manage the alerts from Azure Monitor dashboard, Azure Backup also provides an alert management experience tailored to backups via Backup center. This allows you to filter alerts by backup specific properties, such as workload type, vault location, and so on, and a way to get quick visibility into the active backup security alerts that need attention. Reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to- protect-against-ransomware https://www.microsoft.com/security/blog/ 2017/01/05/azure-backup-protects-against-ransomware/ https:// docs.microsoft.com/en-us/azure/backup/move-to-azure-monitor-alerts Certainly! Let's break down why options B and E are the correct answers for ensuring that Azure Backup can be used to restore resources in the event of a ransomware attack: ### B) Require PINs for critical operations. **Explanation:** - **Critical Operation Security:** By requiring PINs for critical operations, you add an extra layer of security. This ensures that only authorized personnel can perform critical actions, such as modifying or deleting backups. - **Ransomware Prevention:** In a ransomware attack, attackers often try to delete or corrupt backup data to make recovery impossible. Requiring a PIN helps mitigate this risk by ensuring that even if an attacker gains access, they cannot easily delete or alter backups without the PIN. ### E) Use Azure Monitor notifications when backup configurations change. **Explanation:** - **Monitoring and Alerting:** Azure Monitor can track and notify administrators of any changes in backup configurations. This proactive monitoring enables early detection of suspicious activities. - **Incident Response:** Timely notifications allow administrators to respond quickly to unauthorized changes, potentially before any serious damage is done. This is crucial for mitigating the effects of a ransomware attack, as swift action can prevent further data loss. ### Why Other Options Are Less Optimal: - **A) Enable soft delete for backups:** - While soft delete provides the ability to recover deleted backups, it doesn't directly prevent or mitigate ransomware attacks. It would be useful but is not as effective as requiring PINs and monitoring changes. - **C) Encrypt backups by using customer-managed keys (CMKs):** - Encryption is important for protecting the data at rest and in transit but does not directly address the issue of protecting the availability of backups in the event of a ransomware attack. - **D) Perform offline backups to Azure Data Box:** - Offline backups are a good strategy for data redundancy, but they are not as immediately useful for restoring services quickly. They also don’t have the same level of integration and accessibility as Azure Backup, which is crucial during a ransomware attack. In summary, requiring PINs for critical operations (B) and using Azure Monitor notifications for backup configurations (E) directly enhance the security and monitoring of backups, making them robust solutions against ransomware attacks. ============= Q9 HOTSPOT - You are creating the security recommendations for an Azure App Service web app named App1. App1 has the following specifications: ✑ Users will request access to App1 through the My Apps portal. A human resources manager will approve the requests. ✑ Users will authenticate by using Azure Active Directory (Azure AD) user accounts. You need to recommend an access security architecture for App1. What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Box 1: A managed identity in Azure AD Use a managed identity. You use Azure AD as the identity provider. Box 2: An access review in Identity Governance Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. Reference: https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app- authentication-app-service https://docs.microsoft.com/en-us/azure/active- directory/governance/create-access-review ================= Q10 HOTSPOT - Your company uses Microsoft Defender for Cloud and Microsoft Sentinel. The company is designing an application that will have the architecture shown in the following exhibit. You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements: Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel. Use Defender for Cloud to review alerts from the virtual machines. What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Box 1: Data connectors - Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud into Microsoft Sentinel. Launch a WAF workbook (see step 7 below) The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource. To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource: 1. Select Diagnostic settings. 2. Select + Add diagnostic setting. 3. In the Diagnostic setting page (details skipped) 4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource. 5. Select an already active workspace or create a new workspace. 6. On the left side panel under Configuration select Data Connectors. 7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right. 8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously. 9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources. Box 2: The Log Analytics agent - Use the Log Analytics agent to integrate with Microsoft Defender for cloud. The Log Analytics agent is required for solutions, VM insights, and other services such as Microsoft Defender for Cloud. Note: The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You may choose to use either or both depending on your requirements. Azure Log Analytics agent - Use Defender for Cloud to review alerts from the virtual machines. The Azure Log Analytics agent collects telemetry from Windows and Linux virtual machines in any cloud, on-premises machines, and those monitored by System Center Operations Manager and sends collected data to your Log Analytics workspace in Azure Monitor. Incorrect: The Azure Diagnostics extension does not integrate with Microsoft Defender for Cloud. Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data- collection https://docs.microsoft.com/en-us/azure/azure-monitor/agents/ agents-overview ============= Q11 Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel. You plan to integrate Microsoft Sentinel with Splunk. You need to recommend a solution to send security events from Microsoft Sentinel to Splunk. What should you include in the recommendation? A a Microsoft Sentinel data connector B Azure Event Hubs C a Microsoft Sentinel workbook D Azure Data Factory A Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API. Reference: https://splunkbase.splunk.com/app/5312/ The correct answer is A) a Microsoft Sentinel data connector. **Explanation:** A) **Microsoft Sentinel data connector** (Correct Answer) Data connectors are specifically designed to integrate Microsoft Sentinel with various third-party security solutions, including Splunk. These connectors enable you to send and receive security data easily, ensuring that events from Sentinel can be forwarded to Splunk for additional analysis and correlation. Here’s why the other options are less appropriate: B) **Azure Event Hubs** While Azure Event Hubs could potentially be used to ingest streaming data into Azure or transmit it to other services, it is not expressly designed for straightforward integration between Sentinel and Splunk. Using Event Hubs would involve a more complex setup and wouldn't offer the seamless integration that data connectors do. C) **Microsoft Sentinel workbook** Workbooks are used for creating customizable reports and dashboards within Microsoft Sentinel. They are excellent for visualizing and analyzing data but are not designed for data integration or transmission between different SIEM platforms. D) **Azure Data Factory** Azure Data Factory is a data integration service designed for moving and transforming data from various sources. While powerful, it is not tailored for real-time security event data forwarding and would add unnecessary complexity to the task. Therefore, the best recommendation for sending security events from Microsoft Sentinel to Splunk is a Microsoft Sentinel data connector, which ensures an efficient, effective, and simple integration process ================== Q12 A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications. The customer discovers that several endpoints are infected with malware. The customer suspends access attempts from the infected endpoints. The malware is removed from the endpoints. Which two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A The client access tokens are refreshed. B Microsoft Intune reports the endpoints as compliant. C A new Azure Active Directory (Azure AD) Conditional Access policy is enforced. D Microsoft Defender for Endpoint reports the endpoints as compliant. AC A: When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens are also used to acquire extra access tokens for other resources. Refresh token expiration - Refresh tokens can be revoked at any time, because of timeouts and revocations. C: Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It uses a combination of endpoint behavioral sensors, cloud security analytics, and threat intelligence. The interviewees said that ‫ג‬€by implementing Zero Trust architecture, their organizations improved employee experience (EX) and increased productivity.‫ג‬€ They also noted, ‫ג‬€increased device performance and stability by managing all of their endpoints with Microsoft Endpoint Manager.‫ג‬€ This had a bonus effect of reducing the number of agents installed on a user's device, thereby increasing device stability and performance. ‫ג‬€For some organizations, this can reduce boot times from 30 minutes to less than a minute,‫ג‬€ the study states. Moreover, shifting to Zero Trust moved the burden of security away from users. Implementing single sign- on (SSO), multifactor authentication (MFA), leveraging passwordless authentication, and eliminating VPN clients all further reduced friction and improved user productivity. Note: Azure AD at the heart of your Zero Trust strategy Azure AD provides critical functionality for your Zero Trust strategy. It enables strong authentication, a point of integration for device security, and the core of your user-centric policies to guarantee least-privileged access. Azure AD's Conditional Access capabilities are the policy decision point for access to resource Reference: https://www.microsoft.com/security/blog/2022/02/17/4-best-practices-to- implement-a-comprehensive-zero-trust-security-approach https://docs.microsoft.com/en-us/azure/active-directory/develop/refresh- tokens The correct answers are: **A) The client access tokens are refreshed.** **C) A new Azure Active Directory (Azure AD) Conditional Access policy is enforced.** ### Explanation: #### A) The client access tokens are refreshed. After malware has been removed from the endpoints, it's essential to refresh the client access tokens. Tokens issued before the malware removal could have been compromised or tied to a non-compliant state of the endpoint. By refreshing the tokens, the system ensures that only tokens associated with secure and verified states are used in future access attempts. #### C) A new Azure Active Directory (Azure AD) Conditional Access policy is enforced. Implementing a new Conditional Access policy ensures that any gaps that may have been exploited by the malware are addressed. This policy can enforce new compliance or security requirements before allowing access to corporate applications. It could, for example, require that endpoints meet specific monitoring or security criteria set forth after an incident. ### Analysis of Other Options: #### B) Microsoft Intune reports the endpoints as compliant. While ensuring endpoint compliance via Microsoft Intune is crucial, simply having Intune report that the endpoints are compliant does not cover all the conditions needed for ensuring secure access. Compliant status alone doesn’t consider potential changes in security posture or refresh the access tokens. #### D) Microsoft Defender for Endpoint reports the endpoints as compliant. As in the case with Microsoft Intune, while it is important that endpoints are seen as compliant by Microsoft Defender for Endpoint, this alone does not guarantee secure access. You still need to refresh access tokens and enforce potentially new conditional access policies. Thus, refreshing the client access tokens and enforcing a new Azure AD Conditional Access policy directly address the immediate need to secure access post-remediation. ==================== Q13 HOTSPOT - You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled. The Azure subscription contains a Microsoft Sentinel workspace. Microsoft Sentinel data connectors are configured for Microsoft 365, Microsoft 365 Defender, Defender for Cloud, and Azure. You plan to deploy Azure virtual machines that will run Windows Server. You need to enable extended detection and response (EDR) and security orchestration, automation, and response (SOAR) capabilities for Microsoft Sentinel. How should you recommend enabling each capability? To answer, select the appropriate options in the answer area. Hot Area: Correct Answer: Box 1: Onboard the servers to Defender for Cloud. Extended detection and response (XDR) is a new approach defined by industry analysts that are designed to deliver intelligent, automated, and integrated security across domains to help defenders connect seemingly disparate alerts and get ahead of attackers. As part of this announcement, we are unifying all XDR technologies under the Microsoft Defender brand. The new Microsoft Defender is the most comprehensive XDR in the market today and prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms. Box 2: Configure Microsoft Sentinel playbooks. As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks. Reference: https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem- xdr-modernize-security-operations https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a- microsoft-sentinel-automation-ninja/ba-p/3563377 To address the requirements and questions: 1. **Extended Detection and Response (EDR):** To enable EDR capabilities for Azure virtual machines running Windows Server, you would use **Microsoft Defender for Endpoint**. Microsoft Defender for Endpoint offers comprehensive EDR functionalities, including behavioral monitoring, threat analytics, and more, which are essential for advanced threat detection and response. **Correct option:** Microsoft Defender for Endpoint - **Justification:** Microsoft Defender for Endpoint is specifically designed to provide endpoint detection and response capabilities. It monitors and responds to advanced threats on devices running Windows Server. 2. **Security Orchestration, Automation, and Response (SOAR):** For SOAR capabilities integrated with Microsoft Sentinel, you would need to leverage **Microsoft Sentinel Playbooks**. Playbooks in Microsoft Sentinel use Azure Logic Apps to automate and orchestrate responses to detected threats, making them ideal for SOAR capabilities. **Correct option:** Microsoft Sentinel Playbooks - **Justification:** Microsoft Sentinel Playbooks allow the creation of automated workflows to respond to security incidents. They integrate well with various data connectors and play a critical role in automating responses and mitigating threats effectively. --- **Potential Answer Justification:** 1. **Extended Detection and Response (EDR):** - **Microsoft Defender for Endpoint**: This is the correct choice as it provides comprehensive EDR functionalities, including advanced threat detection, monitoring, and response capabilities specifically for Windows Server. Other options could include: - **Microsoft Defender for Cloud**: While it offers broader security management and threat protection features across Azure and hybrid environments, it does not specialize solely in EDR for Windows Server endpoints. 2. **Security Orchestration, Automation, and Response (SOAR):** - **Microsoft Sentinel Playbooks**: This is the right choice because it directly integrates with Microsoft Sentinel for automating and orchestrating incident response through predefined workflows using Azure Logic Apps. Other options could include: - **Microsoft Defender for Cloud**: It includes some automated response capabilities but does not provide the same level of dedicated orchestration and automation that Sentinel Playbooks offer. - **Azure Policy**: Primarily used for enforcing policies and compliance, not for real-time security orchestration and automation. Thus, the recommended selections ensure that the requirements for both EDR and SOAR capabilities are optimally met within the given infrastructure setup involving Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Sentinel. =========== Q14 You have a customer that has a Microsoft 365 subscription and uses the Free edition of Azure Active Directory (Azure AD). The customer plans to obtain an Azure subscription and provision several Azure resources. You need to evaluate the customer's security environment. What will necessitate an upgrade from the Azure AD Free edition to the Premium edition? A Azure AD Privileged Identity Management (PIM) B role-based authorization C resource-based authorization D Azure AD Multi-Factor Authentication D Multifactor authentication (MFA), an important component of the Zero Trust Model, is missing in Azure AD Free edition. Reference: https://www.microsoft.com/en-us/security/business/identity-access/azure- active-directory-pricing The correct answer is D) Azure AD Multi-Factor Authentication (MFA). Explanation: **Azure AD Free edition** includes basic identity and access management functionalities, but it has limitations compared to the Premium editions. When it comes to enhanced security features such as Multifactor Authentication (MFA), the Free edition of Azure AD does not support these advanced capabilities fully. **A) Azure AD Privileged Identity Management (PIM):** This feature is part of Azure AD Premium P2. It helps manage, control, and monitor access within Azure AD, Azure, and other Microsoft Online Services by providing just-in-time privileged access. **B) Role-based authorization:** This feature is available in all editions of Azure AD, including the Free edition. It allows the assignment of roles to users and groups to manage access to resources effectively. **C) Resource-based authorization:** This is a standard feature available across subscription tiers and handles permissions to Azure resources on a more granular level. Similarly to role-based authorization, it's available in the Free edition. Therefore, **D) Azure AD Multi-Factor Authentication (MFA)** necessitates an upgrade from the Free edition to one of the Premium editions, as the Free edition does not have full support for MFA, which is critical for enhanced security measures, especially when managing multiple Azure resources. ============== Q15 You are designing the security standards for a new Azure environment. You need to design a privileged identity strategy based on the Zero Trust model. Which framework should you follow to create the design? A Microsoft Security Development Lifecycle (SDL) B Enhanced Security Admin Environment (ESAE) C Rapid Modernization Plan (RaMP) D Microsoft Operational Security Assurance (OSA) RaMP initiatives for Zero Trust. To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives. In particular, meet these deployment objectives to protect your privileged identities with Zero Trust. 1. Deploy secured privileged access to protect administrative user accounts. 2. Deploy Azure AD Privileged Identity Management (PIM) for a time-bound, just-in-time approval process for the use of privileged user accounts. Note 1: RaMP guidance takes a project management and checklist approach: * User access and productivity 1. Explicitly validate trust for all access requests Identities - Endpoints (devices) Apps - Network - * Data, compliance, and governance 2. Ransomware recovery readiness 3. Data * Modernize security operations 4. Streamline response 5. Unify visibility 6. Reduce manual effort Note 2: As an alternative to deployment guidance that provides detailed configuration steps for each of the technology pillars being protected by Zero Trust principles, Rapid Modernization Plan (RaMP) guidance is based on initiatives and gives you a set of deployment paths to more quickly implement key layers of protection. By providing a suggested mapping of key stakeholders, implementers, and their accountabilities, you can more quickly organize an internal project and define the tasks and owners to drive them to conclusion. By providing a checklist of deployment objectives and implementation steps, you can see the bigger picture of infrastructure requirements and track your progress. Incorrect: Not B: Enhanced Security Admin Environment (ESAE) The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators. Microsoft's recommendation to use this architectural pattern has been replaced by the modern privileged access strategy and rapid modernization plan (RAMP) guidance as the default recommended approach for securing privileged users. The ESAE hardened administrative forest pattern (on-prem or cloud-based) is now considered a custom configuration suitable only for exception cases listed below. What are the valid ESAE use cases? While not a mainstream recommendation, this architectural pattern is valid in a limited set of scenarios. In these exception cases, the organization must accept the increased technical complexity and operational costs of the solution. The organization must have a sophisticated security program to measure risk, monitor risk, and apply consistent operational rigor to the usage and maintenance of the ESAE implementation. Example scenarios include: Isolated on-premises environments - where cloud services are unavailable such as offline research laboratories, critical infrastructure or utilities, disconnected operational technology (OT) environments such as Supervisory control and data acquisition (SCADA) / Industrial Control Systems (ICS), and public sector customers that are fully reliant on on-premises technology. Highly regulated environments ‫ג‬€" industry or government regulation may specifically require an administrative forest configuration. High level security assurance is mandated - organizations with low risk tolerance that are willing to accept the increased complexity and operational cost of the solution. Reference: https://docs.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview https://docs.microsoft.com/en-us/security/zero-trust/user-access-productivity- validate-trust#identities https://docs.microsoft.com/en-us/security/compass/esae-retirement The correct answer is C) Rapid Modernization Plan (RaMP). ### Explanation: The Rapid Modernization Plan (RaMP) is a strategic framework specifically designed to help organizations quickly modernize their security posture, including the management of privileged identities in Azure environments. The RaMP framework incorporates principles of the Zero Trust model, which is essential for designing a robust privileged identity strategy. The Zero Trust model emphasizes validating every request as though it originates from an open network, without assuming trust based on location or network. ### Justification: - **Rapid Modernization Plan (RaMP)**: RaMP provides a structured approach to incorporate modern security practices with rapid deployment capabilities. This framework is particularly relevant when designing security measures within cloud environments like Azure, as it addresses contemporary challenges and solutions aligned with the Zero Trust principles. ### Other Options: - **Microsoft Security Development Lifecycle (SDL)**: While SDL is crucial for integrating security at every stage of the software development lifecycle, it focuses more on secure software design, implementation, and deployment rather than broader privileged identity strategies and zero trust principles. - **Enhanced Security Admin Environment (ESAE)**: ESAE is more historical and focuses on creating isolated admin environments, usually for on-premises infrastructure. Though it provides strong security postulates, it is not specifically tailored for the modernized, cloud-based approach needed for a Zero Trust model in Azure. - **Microsoft Operational Security Assurance (OSA)**: OSA provides guidelines and best practices for operational security, ensuring compliance and security processes are adhered to during operational phases. Although important, it does not directly address the strategic creation of privileged identity designs under a Zero Trust framework. Therefore, RaMP is the most aligned framework for quickly adopting and implementing a privileged identity strategy based on the Zero Trust model in a new Azure environment. ================ Q16 A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5 subscription and an Azure subscription. All on-premises servers in the perimeter network are prevented from connecting directly to the internet. The customer recently recovered from a ransomware attack. The customer plans to deploy Microsoft Sentinel. You need to recommend solutions to meet the following requirements: ✑ Ensure that the security operations team can access the security logs and the operation logs. ✑ Ensure that the IT operations team can access only the operations logs, including the event logs of the servers in the perimeter network. Which two solutions should you include in the recommendation? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A a custom collector that uses the Log Analytics agent B the Azure Monitor agent C resource-based role-based access control (RBAC) D Azure Active Directory (Azure AD) Conditional Access policies BC A: You can collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent. Note: You can use the Log Analytics agent to collect data in text files of nonstandard formats from both Windows and Linux computers. Once collected, you can either parse the data into individual fields in your queries or extract the data during collection to individual fields. You can connect your data sources to Microsoft Sentinel using custom log formats. C: Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure. Use Azure RBAC to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly (see note below), or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits. Incorrect: A: You can collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent. Note: You can use the Log Analytics agent to collect data in text files of nonstandard formats from both Windows and Linux computers. Once collected, you can either parse the data into individual fields in your queries or extract the data during collection to individual fields. You can connect your data sources to Microsoft Sentinel using custom log formats. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview https://docs.microsoft.com/en-us/azure/sentinel/connect-custom-logs? tabs=DCG https://docs.microsoft.com/en-us/azure/sentinel/roles Certainly! The correct answers are: B) Azure Monitor agent C) Resource-based role-based access control (RBAC) **Explanation:** **B) Azure Monitor agent:** - The Azure Monitor agent is critical for collecting telemetry and monitoring data from both cloud and on-premises environments, including virtual machines and servers. - Given that the customer's on-premises servers in the perimeter network are prevented from connecting directly to the internet, the Azure Monitor agent can be configured to collect data locally and then send it to Azure Monitor through a Log Analytics workspace. This ensures that both security and operations logs are captured efficiently. **C) Resource-based role-based access control (RBAC):** - Role-Based Access Control (RBAC) allows you to assign specific permissions to users based on their role within the organization. This is particularly useful for ensuring that different teams (security operations and IT operations) have access only to the logs relevant to their responsibilities. - Using resource-based RBAC, you can configure permissions such that the security operations team has access to both security and operational logs, while the IT operations team has access restricted to only the operations logs, including event logs from the servers in the perimeter network. This ensures compliance with the principle of least privilege. **Why other options were not chosen:** **A) A custom collector that uses the Log Analytics agent:** - While a custom collector could technically be used, it would add unnecessary complexity and overhead compared to the built-in capabilities provided by the Azure Monitor agent. The Azure Monitor agent is specifically designed for these scenarios and provides a more straightforward, integrated solution. **D) Azure Active Directory (Azure AD) Conditional Access policies:** - Conditional Access policies are used primarily to enforce specific access conditions and controls for user sign-ins to applications and services, rather than controlling access to logs and monitoring data. Therefore, while important for access security, they do not directly address the specific need of segregating log access for different teams. By utilizing the Azure Monitor agent for data collection and RBAC for access control, the recommended solutions meet the stated requirements efficiently and effectively. =============== Q17 Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit. You need to recommend a solution to isolate the compute components on an Azure virtual network. What should you include in the recommendation? A Azure Active Directory (Azure AD) enterprise applications B an Azure App Service Environment (ASE) C Azure service endpoints D an Azure Active Directory (Azure AD) application proxy B The Azure App Service Environment v2 is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. This capability can host your: Windows web apps - Linux web apps

Use Quizgecko on...
Browser
Browser