AZ500 (Udemy) Set 1 Flashcards
You onboard Azure Sentinel. You connect Azure Sentinel to Azure Security Center.
You need to automate the mitigation of incidents in Azure Sentinel.
The solution must minimize administrative effort.
What should you create?
A. an alert rule
B. a function app
C. A playbook
D. A runbook
C. A playbook
Explanation:
A playbook is a collection of these remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.
For example, if an account and machine are compromised, a playbook can isolate the machine from the network and block the account by the time the SOC team is notified of the incident.
Playbooks can be used within the subscription to which they belong, but the Playbooks tab (in the Automation blade) displays all the playbooks available across any selected subscriptions.
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
You have an Azure SQL Server instance in your subscription. Your passwords for the SQL Server instance are stored in a key vault.
Your organization has password rotation policies that require all SQL passwords to expire every three months. You decide to automate the password rotation in your key vault three days before the password is about to expire.
You need to implement this automation.
Solution: Create a PowerShell runbook in an Azure Automation account and schedule it to run every 90 days.
Does the solution meet the goal?
A. Yes
B. No
B. No
Explanation:
This solution does not meet the goal. The PowerShell runbook would provide the necessary automation for rotating the password, but the trigger is fixed at 90 days. Since the policy states the password needs to be rotated three days before the expiration date, it will not always be a 90-day interval.
You have an Azure subscription named Sub1.
In Azure Security Center, you have a security playbook named Play1. Play1 is configured to send an email message to a user named User1.
You need to modify Play1 to send email messages to a distribution group named Alerts.
What should you use to modify Play1?
A. Azure Application Insights
B. Azure Logic Apps Designer
C. Azure Monitor
D. Azure DevOps
B. Azure Logic Apps Designer
Explanation:
You can change an existing playbook in Security Center to add an action, or conditions. To do that you just need to click on the name of the playbook that you want to change, in the Playbooks tab, and Logic App Designer opens up.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-playbooks
You have an Azure subscription that contains two virtual machines named VM1 and VM2 that run Windows Server 2019. You are implementing Update Management in Azure Automation. You plan to create a new update deployment named Update1. You need to ensure that Update1 meets the following requirements: ? Automatically applies updates to VM1 and VM2. ? Automatically adds any new Windows Server 2019 virtual machines to Update1. What should you include in Update1?
A. A dynamic group query
B. a security group that has a Membership type of Dynamic Device
C. A Kusto query language query
D. A security group that has a Membership type of Assigned
A. A dynamic group query
Explanation:
Update Management allows you to target a dynamic group of Azure or non-Azure VMs for update deployments. A dynamic group is defined by a query that Azure Automation evaluates at deployment time.
Reference:
https://docs.microsoft.com/en-us/azure/automation/update-management/configure-groups
You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1. Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04. You create a service endpoint for MicrosoftStorage in Subnet1. You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service endpoint. What should you do on VM1 before you deploy the container?
A. Edit the docker-compose.yml file
B. Install the container network interface (CNI) plug in
C. Create an application security group and a network security group
B. Install the container network interface (CNI) plug in
Explanation:
The Azure Virtual Network container network interface (CNI) plug-in installs in an Azure Virtual Machine. The plug-in supports both Linux and Windows platform.
The plug-in assigns IP addresses from a virtual network to containers brought up in the virtual machine, attaching them to the virtual network, and connecting them directly to other containers and virtual network resources. The plug-in doesn’t rely on overlay networks, or routes, for connectivity, and provides the same performance as virtual machines.
The following picture shows how the plug-in provides Azure Virtual Network capabilities to Pods:
You are developing a web application named WebAppl that needs to retrieve data from Azure SQL database Del. Your static code security analysis identified an SQL connection string with a username and password included in your code in plain text. You must eliminate this vulnerability in your WebAppl.
Which two actions should you identify to achieve this goal in the most effective way? Each correct answers presents a complete solution.
A. Create an Azure Active Directory user identity
B. Create a database user identity
C. Create a user assigned managed identity
D. Create a system assigned managed identity
E. Create a virtual machine local user identity
C. Create a user assigned managed identity
D. Create a system assigned managed identity
Explanation:
You should create a user-assigned or system-assigned managed identity. A managed identity is an Azure Active Directory (Azure AD) security principal that represents the Azure resource. Azure resources can use a managed identity to authenticate to any other Azure services, as such providing secure inter-service authentication. Managed identities can be system-assigned or user-assigned. If you set a system-assigned managed identity, it is created and managed by Azure and gets assigned to your respective resource automatically. If you would like to manage the identity of a security principal yourself, you have to manually create a managed identity as Azure resource and then assign it to your app service, virtual machine (VM), or other Azure resources. In this scenario, using an Azure AD-managed identity provides the possibility to move plain text authentication credentials out of the source code, thereby mitigating the security risk of stolen credentials.
You should not create an Azure Active Directory (Azure AD) user identity. Although using an Azure AD user identity would enable WebAppl to access Dal, it is not the most effective way. This solution will be more expensive and requires much more administrative effort. An Azure AD user identity would be suitable to manage access to WebAppt but it is not effective to configure service to service authentication.
You should not create a database user identity. Database identities can be used by users who do not have a login and if they only need access to one or a few databases. It should not be used in the scenario of service to service authentication, like this one. It is the most dangerous type of authentication.
You should not create a virtual machine local user identity. It is technologically not possible to use a virtual machine local user identity to access Azure SQL Database. A virtual machine local user could be used in the case of an SQL server being installed directly on the virtual machine with the local user.
You have an Azure subscription that contains an Azure SQL database named sql1.
You plan to audit sql1.
You need to configure the audit log destination. The solution must meet the following requirements:
- Support querying events by using the Kusto query language.
- Minimize administrative effort.
What should you configure?
A. A Log Analytics workspace
B. A storage account
C. an event hub
A. A Log Analytics workspace
Explanation:
Key phrase: * Support querying events by using the Kusto query language.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-log-analytics-wizard
You have an Azure SQL Server instance in your subscription. Your passwords for the SQL Server instance are stored in a key vault.
Your organization has password rotation policies that require all SQL passwords to expire every three months. You decide to automate the password rotation in your key vault three days before the password is about to expire.
You need to implement this automation.
Solution: Create an Azure Function with an Event Grid Trigger and configure the Key Vault Event Grid as the source.
Does the solution meet the goal?
A. Yes
B. No
A. Yes
Explanation:
This solution meets the goal. To automate key rotation, you have to write a custom function that can first create a new key in the key vault and then update the SQL password. Since the old password would not yet have expired, applications that use SQL Server as the data source would still function as long as they have the password cached. Once the password is rotated, the applications would retrieve the new password from the key vault.
Your organization has a subscription that hosts resources for multiple applications in Azure. The subscription is part of a tenant that has synchronization enabled using AD Connect with on-premises Active Directory Domain Services (AD DS). The resources for each application are contained in individual resource groups.
As additional users are added to the application teams, you add roles for those users at the resource group level. Users can manage multiple applications.
You need to efficiently manage permissions assigned to Azure Active Directory (Azure AD) users to access these resource groups.
Solution: You create Azure AD groups for each application, add users to these groups, and assign roles to the groups at the resource group level.
Does the solution meet the goal?
A. Yes
N. No
A. Yes
Explanation:
This solution meets the goal. Creating Azure AD groups provides centralized user management to groups of users rather than individual users. When the group is provided permissions at the resource group level, all users in the group inherit the permissions provided to the group. To add or remove permissions for a given user, you would just add or remove them from the corresponding Azure AD grot Roles are a collection of permissions, while groups are a collection of users. With groups, you are able to manage a collection of permissions for a collection of users, which eases the management of both the permissions and the users.
Your company recently completed an Office 365 migration and is using Azure AD Connect to synchronize onsite Active Directory with Azure Active Directory (Azure AD). After a security incident, your company’s security team enables and enforces multi-factor authentication (MFA) deployed on an on-premises server for all external sales reps.
The sales director is unable to access his account and an important presentation because the Microsoft Authenticator app does not launch.
You need to ensure that the director has access to his presentation as quickly as possible without compromising the company’s security policy.
What should you do?
A. Launch the Azure Portal app and disable MFA on the sales directors user account
B. Launch AD Users and Computers and disable MFA on the sales directors user account
C. Use the Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements:Sfalse command
D. Create a one time bypass for the sales directors user account
D. Create a one time bypass for the sales directors user account
Explanation
You should create a one-time bypass for the sales director’s user account. One-time bypasses are used as a temporary solution to MFA issues, for example when a user is not receiving a notification or phone call. They are time-limited and allow a one-time bypass so the user can access the desired resource.
You should not disable MFA on the sales directors account in AD Users & Computers. MFA is not controlled through the on-premises AD. It is controlled in Azure AD.
4 You should not use the Set-MsolUser cmdlet. The set-MsolUser cmdlet is used to configure MFA and not to disable it.
You should not launch the Azure Portal app and disable MFA on the sales director’s user account. Although this allows access to the resource, it leaves MFA disabled for any subsequent logins.
You have a hybrid configuration of Azure Active Directory (Azure AD). You have an Azure storage account with a file share named generalBlob. You plan to allow users to authenticate to generalBlob by using their Azure AD credentials. You need to configure the environment to support the planned authentication. Solution: You deploy the on-premises data gateway in the on-premises network. Does this solution meet the goal?
A. Yes
B. No
B. NO
Explanation:
This solution does not meet the goal. You should not deploy an on-premises data gateway in the on-premises network. An on-premises data gateway provides quick and secure4sta transfer between on-premises data and several Microsoft cloud services, like PowerBl, PowerApps, and Azure Logic Apps.
You have an Azure resource group that contains 100 virtual machines.
You have an initiative named Initiative1 that contains multiple policy definitions. Initiative1 is assigned to the resource group.
You need to identify which resources do NOT match the policy definitions.
What should you do?
A. From Azure Security Center, view the Secure Score
B. From the Policy blade of the Azure Active Directory admin center, select Compliance
C. From the Policy blade of the Azure Active Directory admin center, select Assignments
D. From Azure Security Center, view the Regulatory compliance assessment
D. From Azure Security Center, view the Regulatory compliance assessment
Explanation:
Any custom initiatives you create will appear alongside the built-in initiatives in the regulatory compliance dashboard”
We use this daily basis in our system. You go to security center -> Under Cloud Security -> Regulatory Compliance
Reference:
https://docs.microsoft.com/en-us/azure/security-center/custom-security-policies?pivots=azure-portal
You have an Azure subscription named Sub1. You have an Azure Storage account named sa1 in a resource group named RG1. Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to sa1.
Solution: You regenerate the Azure storage account access keys. Does this meet the goal?
A. No
B. Yes
B. Yes
Explanation:
SAS signatures must be signed by the Access Keys. Since Access Policies make use of SAS, ultimately, If you regenerate Access Keys, all the SAS which are dependent on the Access Keys will be invalidated.
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Case Study
General Overview
Fabrikam, Inc. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Fabrikam has IT, human resources (HR), and finance departments.
Existing Environment
Network Environment
Fabrikam has a Microsoft 365 subscription and an Azure subscription named subscription1.
The network contains an on-premises Active Directory domain named Fabrikam.com. The domain contains two
organizational units (OUs) named OU1 and OU2. Azure AD Connect cloud sync syncs only OU1.
The Azure resources hierarchy is shown in the following exhibit.
You have an Azure subscription named Sub1 that contains an Azure Log Analytics workspace named LAW1.
You have 100 on-premises servers that run Windows Server 2012 R2 and Windows Server 2016. The servers connect to LAW1. LAW1 is configured to collect security-related performance counters from the connected servers.
You need to configure alerts based on the data collected by LAW1. The solution must meet the following requirements:
Alert rules must support dimensions.
The time it takes to generate an alert must be minimized.
Alert notifications must be generated only once when the alert is generated and once when the alert is resolved.
Which signal type should you use when you create the alert rules?
A. Log
B. Metric
C. Activity Log
D. Log (Saved Query)
B. Metric
Explanation:
Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, Application Insights standard and custom metrics. Note: Signals are emitted by the target resource and can be of several types. Metric, Activity log, Application Insights, and Log.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-metric
