Manage Security Operation
Which of the items below would exceed the capabilities of an Azure Sentinel playbook? a. A Sentinel playbook can help automate and orchestrate an incident response. b. A Sentinel playbook be run manually or set to run automatically when specific alerts are triggered. c. A Sentinel playbook be created to handle several subscriptions at once.
A Sentinel playbook be created to handle several subscriptions at once. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response and can be run manually or set to run automatically when specific alerts are triggered. Each playbook is created for a specific subscription.
When using Azure Security Center (ASC) to provide visibility into virtual machine security settings, the monitoring system can be set up to notify administrators when issues are discovered. Which issue below would need a different monitoring tool to discover it? a. A newer operating system version is available. b. System security updates and critical updates that are missing. c. Disk encryption should be applied on virtual machines.
A newer operating system version is available. A newer operating system version is available. Azure Security Center does not look to see when a new OS is released. ASC examines OS-level settings using a monitor service that it installs into each Windows and Linux VM. In addition to the choices above, ASC can provide a vulnerability assessment with remediation recommendations.
An investigator wants to be proactive about looking for security threats. The security officer has read about Sentinel's hunting capabilities and notebooks. What is an Azure Sentinel notebook? a. A step-by-step playbook that provides the ability to walk through the steps of an investigation and hunt. b. A table to query and locate actions like DNS events. c. A saved item for the creation of an incident for investigation.
A step-by-step playbook that provides the ability to walk through the steps of an investigation and hunt. A step-by-step playbook. A notebook is a step-by-step playbook that enables the ability to walk through the steps of an investigation and hunt. Other hunting techniques are described by the other choices: built-in query, bookmarks, and event tables.
To be notified when any virtual machine in the production resource group is deleted, what should be configured? a. Activity log alert b. Application alert c. Log alert
Activity log alert Activity log alert. An activity log alert to receive notifications when specific changes occur to resources in your Azure subscription.
Where can custom security alerts be created and managed? a. Azure Security Center b. Azure Sentinel c. Azure Storage
Azure Sentinel Azure Sentinel. Custom alert rules were retired from Azure Security Center on June 30, 2019 because its underlying infrastructure was retired. We recommend that enabling Azure Sentinel and re-creating your custom alerts there. Alternatively, alerts can be created with Azure Monitor log alerts.
When creating roles within a security operations team to grant appropriate access to Azure Sentinel. Which role below would have to be created versus being built-in? a. Azure Sentinel reader b. Azure Sentinel responder c. Azure Sentinel owner
Azure Sentinel owner The Sentinel built-in roles are reader, responder, and contributor.
An organization compliance group requires client authentication use Azure AD, and Key Vault diagnostic logs to be enabled. What is the easiest way to accomplish this? a. Configure management groups b. Implement Security Center policies c. Create Desired Configuration State scripts
Implement Security Center policies Implement Security Center policies. Security Center can monitor policy compliance across all your subscriptions using a default set of security policies. A security policy defines the set of controls that are recommended for resources within the specified subscription or resource group.
Sentinel is being used to investigate an incident. When viewing the incident detailed information, which value has to be assigned, instead of being included in the data? a. Incident ID b. Incident owner c. Number of entities involved
Incident owner Incident owner. The incident detailed information includes its severity, summary of the number of entities involved, the raw events that triggered this incident, and the incident's unique ID. All incidents start as unassigned. Each incident can be assigned to an owner, by setting the Incident owner field. Comments can also be added so that other analysts will be able to understand what was investigated and what your concerns are around the incident.
An organization is working with an outside agency that needs to access a virtual machine. There is a real concern about brute-force login attacks targeted at virtual machine management ports. Which of the following can be used to open the management ports for a defined time range? Select one. a. Azure Firewall b. Bastion service c. Just-in-Time virtual machine access
Just-in-Time virtual machine access Just-in-Time VM access. Azure Security Center supports Just-in-time (JIT) virtual machine (VM) access. When just-in-time access is enabled, Security Center uses network security group (NSG) rules to restrict access to management ports when they are not in use so they cannot be targeted by attackers. Protected ports are the SSH and RDP ports.
When running a query of the Log Analytics workspace, which query language is used? a. Contextual Query Language b. Embedded SQL c. Kusto Query Language
Kusto Query Language Kusto Query Language. All data is retrieved from a Log Analytics workspace using a log query written using Kusto Query Language (KQL). You can write your own queries or use solutions and insights that include log queries for an application or service.
The IT managers would like to use a visualization tool for the Azure Monitor results. Each of the following is available, but there is a need to pick the one that will allow for insights and investigation of the data; which should be used? a. Dashboard b. Logic Apps c. Power BI
Logic Apps Logic apps would be used for integration activities. Workbooks are interactive documents that provide deep insights into your data, investigation, and collaboration inside the team. Specific examples where workbooks are useful are troubleshooting guides and incident postmortem. Dashboards and Power BI allow you to quickly identify important issues.
Data collected by Azure Monitor collects fits into which two fundamental types. What are those types of data? a. Events and Alerts b. Logs and Metrics c. Records and Triggers
Logs and Metrics Logs, Metrics. All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs. Metrics are numerical values that describe some aspect of a system at a point in time. They are lightweight and capable of supporting near real-time scenarios. Logs contain different kinds of data organized into records with different sets of properties for each type. Telemetry such as events and traces are stored as logs in addition to performance data so that it can all be combined for analysis.
Which of following is not included in the Security Center free tier? a. Monitor IoT hubs and resources b. Monitor network access and endpoint security c. Monitor non-Azure resources
Monitor non-Azure resources Monitor non-Azure resources. The Security Center free tier does not support monitoring external cloud or non-Azure resources, JIT VM access, regulatory compliance reports, adaptive network hardening recommendations, and several other features.
The Azure Security Center dashboard presents a Secure Score. What is the description of secure score? a. The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. b. The Secure Score is a count of recommendations made against your monitored resources. c. The Secure Score is a machine-learning based prediction of how likely your resources are to be infiltrated by a hacker.
The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. Security Center reviews your security recommendations across all workloads, uses algorithms to determine how critical each recommendation is, and calculates a Secure Score which is displayed on the Overview page.