AZ-500: Manage security operation

You require a Log Analytics workspace if you intend on collecting data from the following sources:

-Azure resources in your subscription -On-premises computers monitored by System Center Operations Manager -Device collections from Configuration Manager -Diagnostics or log data from Azure storage

Microsoft Defender for Cloud Basic features

-Defender for Cloud is enabled for free on all your Azure subscriptions. -Defender for Cloud provides foundational cloud security and posture management (CSPM) features by default. -The foundational CSPM includes a secure score, security policy and basic recommendations, and network security assessment to help you protect your Azure resources.

What is a key feature of Microsoft Sentinel's incident response capabilities?

A key feature of Microsoft Sentinel's incident response capabilities is AI-powered investigation and threat hunting. It leverages artificial intelligence to enhance the efficiency and effectiveness of incident response activities. By leveraging years of real-world cyber security experience, Microsoft Sentinel enables security teams to investigate threats at scale and proactively hunt for suspicious activities.

To be notified when any virtual machine in the production resource group is deleted, what should be configured?

Activity log alert. An activity log alert to receive notifications when specific changes occur to resources in your Azure subscription

Azure monitor Alerts

Alerts in Azure Monitor proactively notify you of critical conditions and potentially attempt to take corrective action. Alert rules based on metrics provide near real time alerting ; rules based on logs allow for complex logic

different ways that you can use Logs in Azure Monitor

Analyze Visualize Alert Retrieve Export

Defender for Cloud helps you detect threats across:

Azure Platform as a Service (PaaS) services Azure data services Networks

Azure Monitor Data collection sources;

Azure resources: Applications: Virtual machine agents: Custom metrics: Kubernetes clusters: common type of log entry is an event

Microsoft Defender for Cloud's features covers the two broad pillars of cloud security:

Cloud Security Posture Management (CSPM) - Remediate security issues and watch your security posture improve Cloud Workload Protection (CWP) - Identify unique workload security requirements

Microsoft Sentinel enables the following service

Collect data at cloud scale Detect previously undetected threats, and minimize false positives Investigate threats with artificial intelligence, and hunt for suspicious activities at scale Respond to incidents rapidly

Microsoft cloud security benchmark features

Comprehensive multi-cloud security framework Automated control monitoring for AWS in Microsoft Defender for Cloud:

MicrosoftDefender for Cloud fills three vital needs

Defender for Cloud secure score continually assesses your security posture Defender for Cloud recommendations secures your workloads with step-by-step actions Defender for Cloud alerts defends your workloads in real-time

if you've connected an Amazon Web Services (AWS) account to an Azure subscription, you can enable any of these protections

Defender for Cloud's CSPM Microsoft Defender for Kubernetes Microsoft Defender for Servers

Practices to blunt a Brute Force Attacks

Disable the public IP address and use one of these connection methods: VPN site-to-site VPN Azure ExpressRoute two-factor authentication Increase password length and complexity Limit login attempts Implement Captcha Limit the amount of time that the ports are open

security recommendation

Each recommendation provides you with the following information: short description remediation steps affected resources

security recommendation details

Enforce and Deny View the policy definition Open query Severity indicator Freshness interval Count of exempted resources Mapping to MITRE ATT&CK tactics and techniques Description relationship types: Prerequisite Alternative Dependent Remediation steps: Affected resources Healthy resources Unhealthy resources Not applicable resources Action buttons to remediate the recommendation

As soon as you open Defender for Cloud for the first time, Defender for Cloud:

Generates a secure score Provides hardening recommendations based on any identified security misconfigurations and weaknesses. Analyzes and secure's your attack paths through the cloud security graph

An organization compliance group requires client authentication using Azure AD and Key Vault diagnostic logs. What is the easiest way to implement the requirement for client authentication?

Implement Microsoft Defender for Cloud policies. Microsoft Defender for Cloud can monitor policy compliance across all your subscriptions using a default set of security policies. A security policy defines the set of recommended controls for resources within the specified subscription or resource group.

Azure Monitor functions

Insights, Visualize, Analyze, Respond, Integrate

When running a query of the Log Analytics workspace, which query language is used?

Kusto Query Language. All data is retrieved from a Log Analytics workspace using a log query written using Kusto Query Language (KQL). You can write your own queries or use solutions and insights that include log queries for an application or service.

Center for Internet Security (CIS) benchmarks provide two levels of security settings

Level 1 recommends essential basic security requirements Level 2 recommends security settings for environments requiring greater security

Data collected by Azure Monitor collects fits into which two fundamental types. What are those types of data?

Logs, Metrics. All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs. Metrics are numerical values that describe some aspect of a system at a point in time. They are lightweight and capable of supporting near real-time scenarios. Logs contain different kinds of data organized into records with different sets of properties for each type. Telemetry such as events and traces are stored as logs in addition to performance data so that it can all be combined for analysis.

Azure Arc provides a centralized, unified way to

Manage your entire environment together by projecting your existing non-Azure and/or on-premises resources into Azure Resource Manager Manage virtual machines, Kubernetes clusters, and databases Use familiar Azure services and management capabilities Continue using traditional IT operations (ITOps) while introducing DevOps practices Configure custom locations as an abstraction layer

What You Can an Azure monitor alert On

Metric values Log search queries Activity log events Health of the underlying Azure platform Tests for website availability

Azure Monitor two fundamental data types used;

Metrics and Logs Azure Monitor collects data via queries data collected from; Application, OS, Resources, Subscriptions, Custom sources, and Tenant

Security tools use of Monitor logs

Microsoft Defender - for Cloud stores data that it collects in a Log Analytics workspace where it can be analyzed with other log data. Azure Sentinel - stores data from data sources into a Log Analytics workspace.

Microsoft Defender feature - Cloud workload dashboard includes the following sections:

Microsoft Defender for Cloud coverage Security alerts Advanced protection Insights

When using Microsoft Defender for Cloud to provide visibility into virtual machine security settings, the monitoring system will notify administrators as issues arise. Which incident below would require a different monitoring tool to discover it?

Microsoft Defender for Cloud doesn't identify newly released operating systems. Microsoft Defender for Cloud examines OS-level settings using a monitor service installed into each Windows and Linux VM. Microsoft Defender for Cloud can also provide a vulnerability assessment with remediation recommendations.

Defender for Cloud Enhanced features

Microsoft Defender for Endpoint Vulnerability assessment for virtual machines, container registries, and SQL resources Multicloud security Hybrid security Threat protection alerts Track compliance with a range of standards Access and application controls Container security feature Breadth threat protection for resources connected to Azure Manage your Cloud Security Posture Management (CSPM)

workbooks to monitor Sentinel data

Microsoft Sentinel allows you to create custom workbooks across your data comes with built-in workbook templates intended for Security operations center (SOC) engineers and analysts of all tiers to visualize data best used for high-level views

What is the primary purpose of Microsoft Sentinel?

Microsoft Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) solution. Its primary purpose is to deliver intelligent security analytics and threat intelligence to security operations teams. It helps in alert detection, threat visibility, proactive hunting, and threat response, allowing teams to efficiently identify and respond to cyber threats.

How does Microsoft Sentinel leverage Azure services like Log Analytics and Logic Apps?

Microsoft Sentinel leverages Azure services like Log Analytics and Logic Apps by natively incorporating them as foundational components. Log Analytics provides data collection and storage capabilities, while Logic Apps enables the automation and orchestration of workflows within Microsoft Sentinel.

What benefit does Microsoft Sentinel offer to security operations teams?

Microsoft Sentinel offers multiple benefits to security operations teams. It integrates with various Microsoft products, such as Azure Identity Protection and Microsoft Cloud App Security, and correlates millions of signals. It also incorporates external threat intelligence streams. Additionally, it provides cloud-native scalability and speed, enabling efficient security operations. Furthermore, it offers advanced threat detection and analytics capabilities, helping to minimize false positives and improve threat detection.

The IT managers would like to use a visualization tool for the Azure Monitor results. Each of the following is available, but there is a need to pick the one that will allow for insights and investigation of the data; which should be used?

Monitor Metrics is a feature of Azure Monitor that collects numeric data from monitored resources into a time-series database. Metrics are numerical values collected at regular intervals and describe some aspect of a system at a particular time. Metrics in Azure Monitor are lightweight and capable of supporting near real-time scenarios, so they're useful for alerting and fast detection of issues. You can analyze them interactively by using Metrics Explorer, be proactively notified with an alert when a value crosses a threshold, or visualize them in a workbook or dashboard.

Which tasks are not included in the Microsoft Defender for Cloud free tier?

Monitor non-Azure resources. The Microsoft Defender for Cloud free tier doesn't support monitoring external cloud or non-Azure resources, JIT VM access, compliance reports, adaptive network hardening, and several other features.

Microsoft Sentinel features

More than 100 built-in alert rules Jupyter Notebooks- collection of hunting queries, exploratory queries, and python libraries Investigation graph for visualizing and traversing the connections between entities Microsoft Sentinel GitHub repository over 400 detection, exploratory, and hunting queries, plus Azure Notebooks samples and related Python libraries, playbooks samples, and parsers

Azure Monitor Types of metrics

Native metrics use tools in Azure Monitor for analysis and alerting. -Platform metrics -Custom metrics Prometheus metrics (preview) are collected from Kubernetes clusters, including Azure Kubernetes Service (AKS), and use industry-standard tools for analyzing and alerting, such as PromQL and Grafana.

Which recommendations are included in the secure score calculations?

Only built-in recommendations have an impact on the secure score. Recommendations flagged as Preview aren't included

Azure Monitor Exporting data to a SIEM

Processed events that Microsoft Defender for Cloud produces are published to the Azure activity log offers a consolidated pipeline for routing any of your monitoring data into a SIEM tool This pipe uses the Azure Monitor single pipeline for getting access to the monitoring data from your Azure environment

What is Prometheus?

Prometheus is an open-source toolkit that collects data for monitoring and alerting. multi-dimensional data model with time series data identified by metric name and key/value pairs PromQL- flexible query language to use this dimensionality. Time series collection happens via a pull model over Hypertext Transfer Protocol (HTTP)

Notebooks in Microsoft Sentinel provide

Queries to both Microsoft Sentinel and external data Features for data enrichment, investigation, visualization, hunting, machine learning, and big data analytics Notebooks are best for: -More complex chains of repeatable tasks -Ad-hoc procedural controls -Machine learning and custom analysis

Cloud Security Posture Management (CSPM)

Remediate security issues and watch your security posture improve features provide the following: Hardening guidance Visibility

Uses for diagnostic logs

Save them to a storage account Stream them to event hub Analyze them with Azure Monitor

Microsoft Defender for Cloud tools include

Security governance and regulatory compliance Cloud security graph Attack path analysis Agentless scanning for machines

Azure Arc allows you to manage the following resource types hosted outside of Azure:

Servers Kubernetes clusters Azure data services: SQL Server: Virtual machines (preview)

data connection methods are supported by Microsoft Sentinel:

Service to service integration: Amazon Web Services - CloudTrail Azure Activity Azure AD audit logs and sign-ins Azure AD Identity Protection Azure Advanced Threat Protection Azure Information Protection Microsoft Defender for Cloud Cloud App Security Domain name server Microsoft 365 Microsoft Defender ATP Microsoft web application firewall Windows firewall Windows security events External solutions via API External solutions via an agent

key attributes of an Azure monitor alert rule

Target Resource: Signal Criteria Alert Name Alert Description Severity Action

The Microsoft Defender for Cloud dashboard presents a Secure Score. What is the description of secure score?

The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. Microsoft Defender for Cloud reviews your security recommendations across all workloads, uses algorithms to determine how critical each recommendation is, and calculates a Secure Score which is displayed on the Overview page.

What is the primary benefit of security automation and orchestration in Microsoft Sentinel?

The primary benefit of security automation and orchestration in Microsoft Sentinel is the simplification of security orchestration and the automation of common security tasks. This streamlines security operations, reduces manual effort, and improves overall efficiency.

What data can be sent into an event hub?

Tiers of monitoring data: Application monitoring data Guest OS monitoring data Azure resource monitoring data Azure subscription monitoring data Azure tenant monitoring data

Defender for Cloud offers the following options for working with security initiatives and policies:

View and edit the built-in default initiative Add your own custom initiatives Add regulatory compliance standards as initiatives

An organization is working with an outside agency that needs to access a virtual machine. There's a real concern about brute-force login attacks targeted at virtual machine management ports. Which of the following components would open the management ports for a defined time range?

When just-in-time access is enabled, Microsoft Defender for Cloud uses network security group rules to restrict access to management ports when they aren't in use. Protected ports are the SSH and RDP ports

Microsoft Sentinel

a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise—fast.

Microsoft Sentinel's powerful hunting search-and-query tools

based on the MITRE framework, which enable you to proactively hunt for security threats across your organization's data sources before an alert is triggered. Create custom detection rules based on your hunting query. Then, surface those insights as alerts to your security incident responders. While hunting, create bookmarks to return to interesting events later. Use a bookmark to share an event with others or group events with other correlating events to create a compelling incident for investigation.

Sentinel - Automate and orchestrate common tasks by using playbooks

build playbooks with Azure Logic Apps, you can choose from a growing gallery of built-in playbook The connectors allow you to apply any custom logic in code like: ServiceNow Jira Zendesk HTTP requests Microsoft Teams Slack Azure Active Directory Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Playbooks are intended for Security operations center (SOC) engineers and analysts of all tiers to automate and simplify tasks, including data ingestion, enrichment, investigation, and remediation.

Azure diagnostics extension in Azure Monitor

collect monitoring data from the guest operating system of Azure virtual machines The key differences; Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises. Azure Diagnostics extension sends data to Azure Storage, Azure Monitor Metrics (Windows only) and Event Hubs. The Log Analytics agent collects data to Azure Monitor Logs. The Log Analytics agent is required for solutions, Azure Monitor for VMs, and other services such as Microsoft Defender for Cloud.

Microsoft Defender for Cloud security initiatives

collection of Azure Policy definitions or rules that are grouped together towards a specific goal or purpose

Azure Log Analytics agent

comprehensive management across virtual machines send collected data from different sources to your Log Analytics workspace logs or metrics as defined in a monitoring solution

Azure Managed Grafana

data visualization platform fully managed Azure service combine metrics, logs, and traces into a single user interface Following integration features; -Built-in support for Azure Monitor and Azure Data Explorer -User authentication and access control using Azure Active Directory identities -Direct import of existing charts from the Azure portal -all your telemetry data into one place By combining charts, logs, and alerts into one view, you can get a holistic view across multiple datasets. -can share Grafana dashboards

Defender Cloud Security Posture Management (CSPM) plan options

foundational multicloud CSPM capabilities for free includes: asset discovery security recommendations compliance Secure score Defender CSPM plan advanced posture management: Attack path analysis, Cloud security explorer, advanced threat hunting, security governance capabilities o tools to assess your security compliance

Center for Internet Security (CIS)

nonprofit entity whose mission is to identify, develop, validate, promote, and sustain best practice solutions for cyberdefense. It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world Each benchmark undergoes two phases of consensus review; -initial development -consensus team reviews the feedback from the internet community

MITRE ATT&CK matrix knowledge base is organized into several categories

pre-attack, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control.

Microsoft cloud security benchmark (MCSB)

prescriptive best practices and recommendations to help improve the security focusing on: Cloud Adoption Framework Azure Well-Architected Framework The Chief Information Security Officer (CISO) Workshop Other industry and cloud service provider's security best practice standards and frameworks; AW CIS NIST PCI-DSS

Azure Monitor diagnostic logs

produced by an Azure service that provide frequently collected data about the operation of that service two types of diagnostic logs; Tenant logs Resource logs other logs: activity log- provides insight into the operations that Azure Resource Manager performed on resources in your subscription using guest operating system (OS)-level diagnostic logs collected by an agent running inside a VM

National Institute of Standards and Technology (NIST)

promotes and maintains measurement standards and guidance to help organizations assess risk.

MITRE ATT&CK matrix

publicly accessible knowledge base for understanding the various tactics and techniques used by attackers during a cyberattack. Tactics (T) represent the "why" Techniques (T) represent "how'" Common Knowledge (CK)

Azure Policy

rule about specific security conditions you want to be controlled

Azure Event Hubs

streaming platform and event ingestion service that can transform and store data by using any real-time analytics provider or batching/storage adapters Use Event Hubs to stream log data from Azure Monitor to a Microsoft Sentinel or a partner SIEM and monitoring tools.

Microsoft Defender for Cloud has two main goals

to help you understand your current security situation to help you efficiently and effectively improve your security central feature in Defender for Cloud that enables you to achieve those goals is the secure score.

Defender for Cloud uses Azure role-based access control (Azure RBAC), which provides built-in roles you can assign to Azure users, groups, and services

two specific roles for Defender for Cloud: Security Administrator: (read/write) update the security policy and dismiss alerts. Security reader: (read) Has rights to view

Log Analytics

writing log queries and interactively analyzing their results

just-in-time (JIT) VM access

you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed