Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ500 > Kindle Practice Test 1 > Flashcards

Kindle Practice Test 1 Flashcards

1
Q

Which of the following describe logging of control-plane actions on your Azure subscription?

A. Metrics
B. Diagnostic Log
C. Activity Log
D. Subscription Log
E. Tenant Log
F. Audit Log

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 1). Kindle Edition.

A

C. Activity Log

Explanation:
Monitoring data from Azure comes in three basic forms: Activity log - Azure subscription control-plane log; Metrics - near real-time monitoring information emitted by resources; Diagnostic log - traditional log information emitted by resources. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 1). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the minimum required RBAC role required to view Azure Monitor logs?

A. Security Admin
B. Monitoring Contributor
C. Monitoring Administrator
D. Monitoring Reader
E. Security Reader

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 1-2). Kindle Edition.

A

D. Monitoring Reader

Explanation:
All the roles listed are valid built-in Azure roles, except for Monitoring Administrator that doesn’t exist. The minimum role required to view Azure Monitor logs is Monitoring Reader. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/roles-permissions-security

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 2). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

To configure Azure Monitor log collection and analysis on an Azure VM several configuration steps are required as listed in the answer options. Identify the step that is not required.

A. Create a Log Analytics Workspace
B. Enable a Log Analytics VM Extension
C. Select logs and metrics to collect
D. Provide the VM local administrator username and password

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 2). Kindle Edition.

A

D. Provide the VM local administrator username and password

Explanation:
All of the options are required to enable Azure Monitor log collection and analytics on an Azure VM except for providing a local administrator username and password. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 2). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the destinations available for Azure SQL Server audit logs? Choose 3.

A. SQL Data Warehouse
B. Storage
C. Event Hubs
D. SQL Database
E. Log Analytics

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 2-3). Kindle Edition.

A

B. Storage
C. Event Hubs
E. Log Analytics

Explanation:
Storage (account), event hubs and log analytics are supported destinations for SQL Database (and/or SQL Server) audit logs. The other options are valid Azure services, but is not selectable as audit log destinations. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing#subheading-2

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 3). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You configure Azure SQL Database auditing. You select Storage as the audit log destination and don’t change the retention period setting. What is the effect on audit log retention in this scenario? ​

A. A retention period must be specified, in days up to a maximum of 3285 days ​
B. Audit logs are kept indefinitely
C. Audit logs are kept for the default of 90 days ​
D. Audit logs are kept for the default of 120 days

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 3). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 3). Kindle Edition.

A

B. Audit logs are kept indefinitely

Explanation:
The default retention period setting for Azure SQL Database audit logs is 0. This equates to keeping audit logs indefinitely. A retention period of up to a maximum of 3285 days can be specified. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing#subheading-2

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 3). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the steps required to ensure that writing Azure SQL Database audit logs to a storage destination are uninterrupted by a storage access key refresh.

A. Switch the storage destination to an alternative storage account; refresh the primary and secondary storage keys in the storage configuration of the original storage account; optionally switch the storage destination back to the original storage account
B. Stop the Azure SQL Server associated with the Azure SQL Database; refresh the primary and secondary storage keys in the storage configuration; start the Azure SQL Server associated with the Azure SQL Database
C. No action is required - storage keys are automatically updated for SQL Data audit logs when Storage access keys are refreshed
D. Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 4). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 4). Kindle Edition.

A

D. Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration

Explanation:
Switching the storage configuration to secondary, refreshing the primary key, then switching the storage configuration back to primary before finally refreshing the secondary key is the recommended method to ensure uninterrupted audit logging in Azure SQL Database. You can not stop a SQL Server (unless you delete the server along with all databases on it). The storage configuration is not automatically updated. Switching the storage destination to an alternative storage account would work, but you will end up with two sources of audit log data which is not an ideal situation and not the best answer. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing#storage-key-regeneration

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 4). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are planning on rolling out Privilege Identity Management (PIM) to the IT and Dev department. Which of the following licenses should be assigned to your directory to enable this functionality? Select all that apply.

A. Azure AD P1
B. Azure AD P2
C. EMS E3
D. EMS E5
E. Microsoft 365 M5

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 4-5). Kindle Edition.

A

B. Azure AD P2
D. EMS E5
E. Microsoft 365 M5

Explanation:
When you want to make use of PIM, you need one of the following trail or paid licenses assigned to your tenant: Azure AD P2, EMS E5 and Microsoft 365 M5. Azure AD P1 and EMS E3 does not support PIM functionality. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 5). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 5). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or false: a guest user in Azure AD can make use of the paid Azure AD features without having a member account in Azure AD.

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 5). Kindle Edition.

A

A. TRUE

Explanation:
True is correct as you can invite external “guest” users to use your paid Azure AD services, for each paid Azure AD license you can invite up to five guest users. https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 5). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following statements are true when transferring the subscription ownership to another user? Select all that apply.

A. When transferring a subscription to a new Azure AD tenant, all RBAC assignments are permanently deleted from the source tenant and not migrated to the target tenant
B. Self-serve subscription transfer is only available for selected offers
C. When transferring a subscription to another administrator will cause downtime
D. The offer type can be changed during the transferring a subscription

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 5-6). Kindle Edition.

A

A. When transferring a subscription to a new Azure AD tenant, all RBAC assignments are permanently deleted from the source tenant and not migrated to the target tenant
B. Self-serve subscription transfer is only available for selected offers

Explanation:
Option 1 is correct, when transferring a subscription to a new Azure AD tenant, all existing RBAC roles linked to the subscription will be permanently deleted and not migrated to the new tenant. Option 2 is correct as the self-serve option is only available for selected offers. Option 3 is incorrect as there will be no downtime when transferring ownership to another user/administrator. Option 4 is incorrect as you cannot change the offer type while transferring the subscription, the offer must remain the same. https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 6). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following roles are required to manage assignments for other administrators in Privilege Identity Management (PIM) for Azure AD roles?

A. Global administrators
B. Security administrators
C. Security readers
D. Privilege Role Administrator

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 6-7). Kindle Edition.

A

D. Privilege Role Administrator

Explanation:
Privilege role administrator is correct as this is the only role that can manage other administrators in PIM for Azure AD roles. Global administrator, Security administrator and security readers can only view assignments to Azure AD roles in PIM. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 7). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following roles are required to manage assignments for other administrators in PIM for Azure Resource roles?

A. Subscription administrator
B. Resource owner
C. Resource User Access Administrator
D. Security administrator
E. Security reader

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 7). Kindle Edition.

A

A. Subscription administrator
B. Resource owner
C. Resource User Access Administrator

Explanation:
Only the following roles can manage assignments for other administrators in PIM for Azure resource roles: Subscription admin, resource owner and resource user access admin. Security admin and security reader do not by default have access to view assignments to Azure resource roles in PIM. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 7-8). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

One of the developers needs API access to the “Dev” resource group. Which of the following roles do you need to assign to the developer?

A. Owner role
B. Contributor role
C. API management contributor role
D. Reader role

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 8). Kindle Edition.

A

C. API management contributor role

Explanation:
API management contributor role is correct, this also needs to be assigned on the resource group level. The developer should now be able to sign in via PowerShell. https://docs.microsoft.com/en-us/azure/api-management/api-management-faq

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 8). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or false: The API management gateway IP address is constant and can be used in firewall rules as a static IP.

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 8). Kindle Edition.

A

A. TRUE

Explanation:
True is correct, in all tiers of API management the public IP address of the API management tenant is static of the lifetime of the tenant, however there are some exceptions like if the service is deleted and re-created. https://docs.microsoft.com/en-us/azure/api-management/api-management-faq

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 8). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

True or false: You can move an API Management service from one subscription to another.

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 9). Kindle Edition.

A

A. TRUE

Explanation:
True is correct, you can move the API management service from one subscription to another. https://docs.microsoft.com/en-us/azure/api-management/api-management-faq

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 9). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You need to manage inbound and outbound traffic rules at scale to specific VMs with minimum effort. You plan on creating separate inbound and outbound NSG rules with CIDR notation. Is this the easiest method to manage multiple VMs?

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 17). Kindle Edition.

A

B. False

Explanation:
False, you need to make use of Application Security Groups (ASG’s). ASG’s allows you to group VM’s to make management easier, for example you can group several VMs with an ASG and only make changes once to the ASG instead of manually adding/removing/editing NSG rules with CIDR notation. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 17). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 17). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have a storage account named “BlobStore” and you have noticed that anyone can access this storage account over the internet. You need to secure this storage account so that only users from the Head Office with IP 197.145.42.202/32 can access this storage account, however you still require anonymous access over the internet to the storage metrics for this account. Which 2 options should you configure?

A. Configure Allow access from selected networks and specify 197.145.42.202/32
B. Configure Allow access from all networks
C. Configure IP ranges under the firewall section and specify 197.145.42.202/32
D. Allow trusted Microsoft services to access this storage account
E. Allow read access to storage metrics from any network

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 18). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 17-18). Kindle Edition.

A

C. Configure IP ranges under the firewall section and specify 197.145.42.202/32
E. Allow read access to storage metrics from any network

Explanation:
Option 3 is correct as you need to specify the public IP address range you want to allow under the firewall section for the storage account. Option 5 is also correct as you need to allow only read access to storage metrics from any network. Option 1 is incorrect as you cannot specify the public IP address under the “selected networks” section as this is used to allow access from Virtual Networks in Azure to the storage account. Option 2 is incorrect as you should not configure “allow access from all networks” as you need to limit the access to specific public IPs as described in the scenario. Option 4 is incorrect as this will only allow Microsoft services access to the storage account and not the users from the Head Office. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 18). Kindle Edition.

17
Q

You plan on deploying anti-malware solution to your LOB application VM via security extension. Is it possible to add the anti-malware security extension on top of the built-in Windows Defender anti-malware solution running locally on the VM?

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 18). Kindle Edition.

A

A. TRUE

Explanation:
True is correct as it is possible to add the Azure VM Antimalware extension. It is to be noted that Windows Server 2016 OS has Windows Defender built-in by default which protects against malware. However, if you run the Azure VM Antimalware extension on top of Windows Defender, the extension will apply any optional configuration policies to be used by Windows Defender and that the extension will not deploy any additional antimalware services. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 18-19). Kindle Edition.

18
Q

Which of the following core features are available when you deploy Microsoft anti-malware for Azure applications. Select all that apply.

A. Real-time protection
B. Malware remediation
C. Exclusions
D. Anti-malware engine and platform updates

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 19). Kindle Edition.

A

A. Real-time protection
B. Malware remediation
C. Exclusions
D. Anti-malware engine and platform updates

Explanation:
All of the above are correct. When deploying Microsoft antimalware for Azure applications, some of the features are: real-time protection, malware remediation, exclusion of files, processes and drives, and automatic updates to the antimalware engine and platform. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 19). Kindle Edition.

19
Q

When making use of resource locks, which of the following locking modes are valid? Select all that apply.

A. Read only
B. Do not delete
C. Write only

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 19). Kindle Edition.

A

A. Read only
B. Do not delete

Explanation:
When creating a resource lock, you have the following options: Read only which means all resources can be viewed, however no changes are allowed. Do no delete is correct as you can modify resources however you are not allowed to remove/delete resources within that resource lock. Write-only is incorrect, there is no such option. https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 20). Kindle Edition.

20
Q

Which of the following is supported to create custom RBAC roles? Select all that apply.

A. Azure PowerShell
B. Azure CLI
C. Rest API
D. CMD

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 20). Kindle Edition.

A

A. Azure PowerShell
B. Azure CLI
C. Rest API

Explanation:
Azure PowerShell, CLI and Rest API is correct and can be used to create custom RBAC roles in Azure. CMD is incorrect as this is not supported. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 20). Kindle Edition.

21
Q

You need to provide RBAC access to a third party to manage a “LOB-VM”. The third party should be able to restart the VM, however not be able to shut down the VM. When using Azure CLI, how should this be defined? Select all that apply.

A. Action: Microsoft.compute/virtualmachines/restart/action
B. Action: Microsoft.compute/virtualmachines/start/action
C. NotActions:Microsoft.compute/virtualmachines/start/action
D. NotAction:Microsoft.compute/virtualmachines/shutdown/action

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 21). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 20). Kindle Edition.

A

A. Action: Microsoft.compute/virtualmachines/restart/action
D. NotAction:Microsoft.compute/virtualmachines/shutdown/action

Explanation:
Option 1 is correct as you need to define the allowed action as restart. Option 4 is correct as you need to define the action which is not allowed, in this case it is shutdown. Option 2 is incorrect as you do not want the third party to start the VM as this is not a requirement. Option 3 is incorrect as you should make use of the shutdown parameter instead of start as you want to prohibit the shutdown of the VM, not the starting of the VM. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 21). Kindle Edition.

22
Q

Which of the following can be associated to a Network Security Group (NSG) ? Select all that apply.

A. Subnet
B. Resource Group
C. Network Interface Card (NIC)
D. Virtual Network (VNet)

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 21). Kindle Edition.

A

A. Subnet
C. Network Interface Card (NIC)

Explanation:
Subnet and Network Interface cards (NIC’s) are correct, you cannot associate a VNet or resource group to a Network Security Group (NSG). https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 21). Kindle Edition.

23
Q

True or false: when there are 2 NSG’s associated to the same subnet, when one NSG denies traffic on port 80 inbound and another allows traffic on port 80 inbound to the same VM, the traffic will automatically be blocked due to the one NSG rule that denies the traffic.

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 22). Kindle Edition.

A

A. TRUE

Explanation:
True is correct, whenever a VM/subnet is associated to 2 or more NSG’s and there are conflicting rules on each NSG (i.e. one NSG has allow and one NSG deny) the NSG which has the deny rule will take preference and traffic will not pass through. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 22). Kindle Edition.

24
Q

True or False: you can create custom service tags when making use of Network Security Groups?

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 22). Kindle Edition.

A

B. FALSE

Explanation:
False is correct, you cannot create your own service tag or specify which IP’s are included within a tag.https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 22). Kindle Edition.

25
Q

What are two types of data store used by Azure Monitor?

A. Logs
B. Metrics
C. Event Hubs
D. Blobs
E. Queues

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 22-23). Kindle Edition.

A

A. Logs
B. Metrics

Explanation:
Azure monitor stores data in Logs and Metrics data stores. The other answers are examples of Azure storage products. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 23). Kindle Edition.

26
Q

Which of the following are not characteristics of Azure Monitor Metrics?

A. Text or numeric data
B. Collected at regular intervals
C. Lightweight
D. Sourced from Application Insights
E. Sourced from Azure resources

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 23). Kindle Edition.

A

A. Text or numeric data

Explanation:
All the options are true for Azure Monitor Metrics except for Text or numeric data. Metrics are only numeric data. Azure Monitor Logs can also contain Text data. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform#compare-azure-monitor-metrics-and-logs

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 23). Kindle Edition.

27
Q

Which of the following are valid Azure Monitor data sources?

A. Application Insights
B. Log Analytics Agent
C. Azure Resource Diagnostic Log
D. Azure Subscription
E. Azure Tenant Audit Log
F. On-Premises Operating System

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 23-24). Kindle Edition.

A

A. Application Insights
B. Log Analytics Agent
C. Azure Resource Diagnostic Log
D. Azure Subscription
E. Azure Tenant Audit Log
F. On-Premises Operating System

Explanation:
All of the options are valid sources for Azure Monitor. Custom sources (via Data Collector API), Guest Operating Systems and Application Insights are supported for on-premises or other clouds deployments. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 24). Kindle Edition.

28
Q

What are the three headline capabilities of advanced data security in Azure SQL Database?

A. SQL Server Firewall
B. Data discovery and classification
C. Vulnerability assessment
D. Azure security center
E. Advanced threat protection
F. Dynamic data masking

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 24-25). Kindle Edition.

A

B. Data discovery and classification
C. Vulnerability assessment
E. Advanced threat protection

Explanation:
The advanced data security capability of Azure SQL Database provides data discovery and classification; vulnerability assessment and advanced threat protection. ADS is integrated with ASC where alerts and incidents are surfaced and managed. SQL Database firewall and dynamic data masking are valid SQL Database features, but they are not part of advanced data security. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-advanced-data-security#overview

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 25). Kindle Edition.

29
Q

Which of the following authentication mechanisms is used by Azure HDInsight?

A. Kerberos
B. OAuth
C. SAML
D. Azure Active Directory
E. OpenID

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 25). Kindle Edition.

A

A. Kerberos

Explanation:
Azure HDInsight uses Kerberos authentication provided through integration with Azure Active Directory Domain Services. The other authentication standards are not supported. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 25). Kindle Edition.

30
Q

Multiple layers of security is recommended for Azure HDInsight. Which of the following is not considered a protection layer?

A. Perimeter security
B. Authorisation security
C. Authentication security
D. Data security
E. Cluster security

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 26). Kindle Edition.

A

E. Cluster security

Explanation:
Perimeter, authentication, authorisation and data layer security is recommended. Cluster security is not considered part of deploying Azure HDInsight security. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 26). Kindle Edition.

31
Q

Which component is used to manage role-based access control in Azure HDInsight?

A. Azure Active Directory
B. Azure Active Directory Domain Services
C. Apache Ranger
D. Apache Hive Server
E. Apache Spark

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 26). Kindle Edition.

A

C. Apache Ranger

Explanation:
Apache Ranger is used to create RBAC policies in Azure HDInsight. HDInsight is integrated with Azure AD DS for Kerberos authentication services, but RBAC is handled in the HDInsight cluster itself using Apache Ranger. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction#authorization

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 26-27). Kindle Edition.

32
Q

How does HDInsight provide protection for data at rest?

A. Apache Hive Server Encryption
B. Azure Storage Service Encryption
C. Apache HBase Encryption
D. Apache Ranger Encryption A
E. ES 256-bit Encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 27). Kindle Edition.

A

B. Azure Storage Service Encryption

Explanation:
HDInsight integrates with Azure Blob storage and Azure Data Lake Storage as the underlying storage infrastructure which is automatically encrypted by Azure Storage Service Encryption. SSE uses AES 256-bit, but this is not the best answer for the question. The Apache components is not responsible for encryption. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction#encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 27). Kindle Edition.

33
Q

It is considered best practice to add an additional layer of access control security to Azure Cosmos DB. Which Azure features provides this capability?

A. Network Security Group
B. Azure Firewall
C. Cosmos DB Firewall
D. Network Security Appliance
E. Azure Active Directory Conditional Access
F. Azure Information Protection

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 27-28). Kindle Edition.

A

C. Cosmos DB Firewall

Explanation:
Azure Cosmos DB has a built-in firewall service. Similar to any other database firewall, a firewall rule is required for all sites and over-the-internet connections to the database. This is the best answer to the question. Network security groups, Azure Firewall and a 3rd party firewall appliance commonly referred to as a network security appliance can all also be configured as an additional layer of security - but this is not the best answer to the question. AAD conditional access and AIP is not directly involved in Cosmos DB access control. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#configure-ip-policy

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 28). Kindle Edition.

34
Q

Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources. Select them from the answer options.

A. Access Key
B. Shared Access Key
C. Role Based Access Control
D. Resource Token
E. Shared Access Signature
F. Master Key

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 28). Kindle Edition.

A

D. Resource Token
F. Master Key

Explanation:
Cosmos DB uses a Master Key for administrative resources: database accounts, databases, users, and permissions. It also uses a Resource Token for application resources: containers, documents, attachments, stored procedures, triggers, etc. https://docs.microsoft.com/en-us/azure/cosmos-db/database-security#how-does-azure-cosmos-db-secure-my-database

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 28). Kindle Edition.

35
Q

How does Cosmos DB provide protection for data at rest?

A. Hash-based Message Authentication Code (HMAC)
B. Azure Storage Service Encryption
C. Azure Key Vault
D. SSL/TLS 1.2
E. AES 256-bit Encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 29). Kindle Edition.

A

A. Hash-based Message Authentication Code (HMAC)
B. Azure Storage Service Encryption

Explanation:
Azure storage encryption is used to encrypt data at rest for Cosmos DB. HMAC is used in Cosmos DB authorisation, but not for data encryption. Applications can make use of Cosmos DB by storing the access tokens in Azure Key Vault instead of with the application. SSL/TLS is used by the system to ensure data protection (encryption) in transit. https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 29). Kindle Edition.

36
Q

How does Azure Data Lake provide protection for data at rest?

A. BitLocker
B. Azure Storage Service Encryption
C. Azure Key Vault
D. SSL/TLS 1.2
E. AES 256-bit Encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 29). Kindle Edition.

A

B. Azure Storage Service Encryption

Explanation:
Azure Data Lake is built on Azure Storage, just like Blobs, Tables and Queues. It uses the same underlying encryption for data at rest - Storage Service Encryption. SSE uses AES 256-bit as the underlying encryption algorithm, but this is not the best answer for the question. SSL/TLS is encryption for data in transit, not data at rest. Azure Key Vault can be used for SSE in a Bring Your Own Key scenario, but does not perform encryption itself. Bitlocker is Microsoft’s encryption technology used on the endpoint, not relevant for SSE. https://docs.microsoft.com/en-za/azure/storage/common/storage-service-encryption?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#view-encryption-settings-in-the-azure-portal

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 30). Kindle Edition.

AZ500 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions