(1) AZ-500 Identify security threats with Azure Security Center
Data Collection can collect two log sources from every VM (2)
- Boot-time diagnostics - OS guest diagnostics
What is an incident response plan?
An incident response plan (IRP) allows you to identify and minimize the damage, reduce the cost, and fix the cause of a security attack
How are smart groups created? - Through a template deployment. - Through the Azure CLI. - Automatically, using machine learning algorithms.
Automatically, using machine learning algorithms
Workflow automations are built on
Azure Logic Apps
Which of the following is NOT a state of a smart group alert? - Failed - New - Acknowledged - Closed
Failed
What is Workflow automation in Azure Security Center?
A collection of grouped procedures that the security response team can execute with a single click in Security Center when a specific alert is detected (These actions are not automatically triggered)
Select the best definition of a Security Center incident - A single event indicating a successful security intrusion. - An alert reported in the security dashboard. - A collection of related individual alerts.
A collection of related individual alerts
Cyber kill chain is
A series of steps that trace the stages of a cyberattack from the early reconnaissance stages to the exfiltration of data
Which of the following is an example of a log data type? - Percentage of CPU over time. - HTTP response records. - Database tables. - Website requests per hour
HTTP response records
Viewing recommendations by category under
RESOURCE SECURITY HYGIENE header in Security Center
Azure Security Center is fully integrated with Azure Policy (true/false)
True
Azure Monitor enables you to gather
monitoring and diagnostic information about the health of your services
For responding to alerts a security engineer can get information about (5)
- What happened - When did it happen - What resource was attacked - Where is the resource located - What should you do about it
Log file storage locations
- Windows - D:\Home\LogFiles - Linux - managed through the underlying Docker container
Data types in Azure Monitor (2)
- metric-based data types - log-based data types
Azure Monitor collects data automatically from a range of components (5)
- Application data - Operating system data - Azure resource data - Azure subscription data - Azure tenant data
Security Center detect threats such as (4)
- Compromised VMs communicating with known malicious IP addresses - Advanced malware detected by Windows error reporting - Brute-force attacks against VMs - Security alerts from integrated partner security solutions, such as anti-malware or web application firewalls
ASC Free Tier Services (5)
- Compute resources such as VMs, Azure Functions and App Service - Network access and endpoint security - Data storage including Azure Storage, Redis cache for Azure, and Azure SQL - Identity and access including Azure Key Vault - IoT Hubs and resources
ASC Workflow pre-built actions (3)
- Create an automated incident report in another system, filling in fields from the active alert - Email a distribution group with details about the active alert(s) - Send a notification to a Teams or Slack channel
Extend the data that Azure Monitor collects by (2)
- Enabling diagnostics - Adding an agent (increases the amount of information that's sent to Azure Monitor)
Steps for an IRP (Incident response plan) (3)
- Establish an incident response team - Practice the plan - Revise the plan
CSIRT teams consists of (4)
- Executive - IT - Communications - Legal
Azure Security Center has two available tiers: (2)
- Free - Standard
Three signal types that you can use to monitor your environment (3)
- Metric (threshold is exceeded) - Activity log (Azure resources change state) - Log (things written to log files)
Azure Monitor collects two fundamental types of data (2)
- Metrics (how the resource is performing) - Logs (records that show when resources are created or modified)
Monitor service for VMs can provide these safeguards (6)
- OS security settings with the recommended configuration rules - System security updates and critical updates that are missing - Endpoint protection recommendations - Disk encryption validation - Vulnerability assessment and remediation - Threat detection
Phases of an incident response (4)
- Preparation - Detection and Analysis - Containment, Eradication & Recovery - Post-Incident activity
Four areas you can influence customizing ASC options (4)
- Pricing tier - Threat detection - Data Collection (enable auto-provisioning to install a monitoring agent on all VMs) - Email notifications
Composition of an alert rule (4)
- RESOURCE - CONDITION - ACTIONS - ALERT DETAILS (0: Critical, 1: Error, 2: Warning, 3: Informational, 4: Verbose)
Azure Security Center addresses the three most urgent security challenges (3)
- Rapidly changing workloads - Increasingly sophisticated attacks - Security skills are in short supply
Eight phases of Cyber Kill Chain (8)
- Reconnaissance - Intrusion - Exploitation - Privilege Escalation - Lateral Movement - Obfuscation / Anti-forensics - Denial of Service - Exfiltration
Built-in security policies that Security Center monitors (7)
- Secure transfer to storage accounts should be enabled - Azure AD administrator for SQL server should be provisioned - Client authentication should use Azure Active Directory - Diagnostics logs in Key Vault should be enabled - System updates should be installed on your machines - Audit missing blob encryption for storage accounts - Just-In-Time network access control should be applied on virtual machines
ASC Standard Tier Services (extend from free) (10)
- Security event collection - Network Map - Just-in-time VM access - Adaptive application controls (application whitelisting) - Regulatory compliance reports - File integrity monitoring - Adaptive Network Hardening - Security alerts - Threat intelligence - Workflow Automation
Security Center categories of alerts (4)
- Virtual machine behavioral analysis - Network analysis - SQL database and SQL Data Warehouse analysis - Contextual information
What is a security alert?
Alerts are the notifications that Security Center generates when it detects threats on your resources.
CSIRT
Computer Security Incident Response Team
What data does Azure Monitor collect? - Data from a variety of sources, such as the application event log, the operating system (Windows and Linux), Azure resources, and custom data sources - Azure billing details - Backups of database transaction logs
Data from a variety of sources, such as the application event log, the operating system (Windows and Linux), Azure resources, and custom data sources
What is live log streaming
Live log streaming is an easy and efficient way to view live logs for troubleshooting purposes
What two fundamental types of data does Azure Monitor collect? - Metrics and logs - Username and password - Email notifications and errors
Metrics and logs
Which feature is not available in the basic (free) tier? - Monitor VM activity for intrusion attempts. - Provide continuous security assessments. - Monitor external cloud and non-Azure resources.
Monitor external cloud and non-Azure resources.
What types of Web apps can save logs to Azure Blob storage? - Node.js apps on Windows. - Node.js apps on Linux. - ASP.NET Core apps on Linux.
Node.js apps on Windows
What's the composition of an alert rule? - Resource, condition, log, alert type - Metrics, logs, application, operating system - Resource, condition, actions, alert details
Resource, condition, actions, alert details
Security Center reviews your security recommendations across all workloads and calculates a
Security Score
What level can you apply security policies to? (Select the best answer). - Security policies are always turned on for every subscription and are not configurable. - Security policies can be configured at the subscription level. - Security policies can be configured at the subscription and resource group level.
Security policies can be configured at the subscription and resource group level
What are smart groups?
Smart groups are an automatic feature of Azure Monitor, Smart groups allow you to address a group of alerts instead of each alert separately.
Select the best description of the Secure Score shown on the dashboard. - The Secure Score is a calculation based on the ratio of healthy resources vs. total resources. - The Secure Score is a count of recommendations made against your monitored resources - The Secure Score is a machine-learning based prediction of how likely your resources are to be infiltrated by a hacker
The Secure Score is a calculation based on the ratio of healthy resources vs. total resources
What information is not present in the alert details - The number of times this alert has occurred. - Where is the resource located? - What should you do about it?
The number of times this alert has occurred
Why is file system logging automatically turned off after 12 hours? - To optimize app performance. - So that storage space can be reused. - To enable Web apps to reinstantiate on different server instances, with different file system storage.
To optimize app performance
Lateral movement in the cyber kill chain is the act of moving laterally to connected servers to gain greater access to potential data (true/false)
True
NIST publishes a standard guide on how to handle security incidents (true/false)
True
You can collect boot-time diagnostics from VMs with Security Center (true/false)
True
You can enable Security Center on a per-subscription basis (true/false)
True
Analyzing logs by using Kusto
You write a log query with the Kusto query language, which is also used by Azure Data Explorer
What is Azure Monitor?
service for collecting and analyzing telemetry