Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

sc-100 > Questions 31-60 > Flashcards

Questions 31-60 Flashcards

1
Q

Your company has an Azure subscription that uses Azure Storage.
The company plans to share specific blobs with vendors.
You need to recommend a solution to provide the vendors with secure access to specific blobs without exposing the blobs publicly. The access must be time-limited.
What should you include in the recommendation?

A. Configure private link connections.
B. Configure encryption by using customer-managed keys (CMKs).
C. Share the connection string of the access key.
D. Create shared access signatures (SAS).
A

D. Create shared access signatures (SAS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are designing security for an Azure landing zone.
Your company identifies the following compliance and privacy requirements:
✑ Encrypt cardholder data by using encryption keys managed by the company.
✑ Encrypt insurance claim files by using encryption keys hosted on-premises.
Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Store the cardholder data in an Azure SQL database that is encrypted by using Microsoft-managed keys.
B. Store the insurance claim data in Azure Blob storage encrypted by using customer-provided keys.
C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM.
D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
A

C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM.
D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are a security architect for a company with Microsoft Azure and Microsoft 365 subscriptions and you recently had a ransomware attack.
After reviewing with the team, you found that while information was available to help remediate the attack, the information was not centrally contextualized for the security incident, slowing down the remediate action.
Which tools can provide a central console to detect, investigate, remediate, hunt, and utilize threat intelligence and contextualize a security incident?

A. Microsoft Sentinel
B. Microsoft Defender for Cloud
C. Microsoft 365 Defender
D. Defender for Endpoint
A

A. Microsoft Sentinel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are a security analyst in an organization. The chief compliance officer has tasked you to ensure that all new Azure core services are HIPAA compliant.
What operation compliance Azure solution can you use to automate the deployment compliance for Azure core services?

A. Azure Policy
B. Azure Blueprints
C. Desired State Configuration
D. Azure Automation Update Management
A

B. Azure Blueprints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HOTSPOT -
You are designing security for a runbook in an Azure Automation account. The runbook will copy data to Azure Data Lake Storage Gen2.
You need to recommend a solution to secure the components of the copy process.
What should you include in the recommendation for each component? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer Area
Data security:
* Access keys stored in Azure Key Vault
* Automation Contributor built-in role
* Azure Private Link with network service tags
* Azure Web Application Firewall rules with network service tags

Network access control:
* Access keys stored in Azure Key Vault
* Automation Contributor built-in role
* Azure Private Link with network service tags
* Azure Web Application Firewall rules with network service tags

A

Data security: Access keys stored in Azure Key Vault
Network access control: Azure Private Link with network service tags

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You receive a security alert in Microsoft Defender for Cloud as shown in the exhibit. (Click the Exhibit tab.)

Security alert
MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)

After remediating the threat, which policy definition should you assign to prevent the threat from reoccurring?

A. Storage account public access should be disallowed
B. Azure Key Vault Managed HSM should have purge protection enabled
C. Storage accounts should prevent shared key access
D. Storage account keys should not be expired
A

A. Storage account public access should be disallowed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Your company plans to provision blob storage by using an Azure Storage account. The blob storage will be accessible from 20 application servers on the internet.
You need to recommend a solution to ensure that only the application servers can access the storage account.
What should you recommend using to secure the blob storage?

A. managed rule sets in Azure Web Application Firewall (WAF) policies
B. inbound rules in network security groups (NSGs)
C. firewall rules for the storage account
D. inbound rules in Azure Firewall
E. service tags in network security groups (NSGs)
A

C. firewall rules for the storage account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Your company is preparing for cloud adoption.
You are designing security for Azure landing zones.
Which two preventative controls can you implement to increase the secure score?
Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Azure Web Application Firewall (WAF)
B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
C. Microsoft Sentinel
D. Azure Firewall
E. Microsoft Defender for Cloud alerts
A

A. Azure Web Application Firewall (WAF)
D. Azure Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HOTSPOT -
Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.
The company is designing an application that will have the architecture shown in the following exhibit.

Clients–>Azure Application Gateway with Web Application Firewall–>Azure Firewall Premium–>Azure Virtual Machines

You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements:
✑ Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.
✑ Use Defender for Cloud to review alerts from the virtual machines.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer Area
For WAF:
* The Azure Diagnostics extension
* Azure Network Watcher
* Data connectors
* Workflow automation

For the virtual machines:
* The Azure Diagnostics extension
* Azure Storage Analytics
* Data connectors
* The Log Analytics agent
* Workflow automation

A

For WAF: Data connectors
For the virtual machines: The Log Analytics agent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States.
You need to recommend a solution to prevent malicious bots from scanning the web apps for vulnerabilities. The solution must minimize the attack surface.
What should you include in the recommendation?

A. Azure Firewall Premium
B. Azure Traffic Manager and application security groups
C. Azure Application Gateway Web Application Firewall (WAF)
D. network security groups (NSGs)
A

C. Azure Application Gateway Web Application Firewall (WAF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your company is designing an application architecture for Azure App Service Environment (ASE) web apps as shown in the exhibit. (Click the Exhibit tab.)

on-premise app server with public IP<–on-premise firewall
user—public internet–> Azure subscription[Resource group] [X]– subnet01 (–>appAPI01–>appAPI02)

Communication between the on-premises network and Azure uses an ExpressRoute connection.
You need to recommend a solution to ensure that the web apps can communicate with the on-premises application server. The solution must minimize the number of public IP addresses that are allowed to access the on-premises network.
What should you include in the recommendation?

A. Azure Traffic Manager with priority traffic-routing methods
B. Azure Firewall with policy rule sets
C. Azure Front Door with Azure Web Application Firewall (WAF)
D. Azure Application Gateway v2 with user-defined routes (UDRs)
A

B. Azure Firewall with policy rule sets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For blob containers in Azure Storage, you recommend encryption that uses Microsoft-managed keys within an encryption scope.
Does this meet the goal?

A. Yes
B. No
A

B. No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses Microsoft-managed keys.
Does this meet the goal?

A. Yes
B. No
A

B. No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For blob containers in Azure Storage, you recommend encryption that uses customer-managed keys (CMKs).
Does this meet the goal?

A. Yes
B. No
A

A. Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses customer-managed keys (CMKs).
Does this meet the goal?

A. Yes
B. No
A

A. Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your company finalizes the adoption of Azure and is implementing Microsoft Defender for Cloud.
You receive the following recommendations in Defender for Cloud
✑ Access to storage accounts with firewall and virtual network configurations should be restricted.
✑ Storage accounts should restrict network access using virtual network rules.
✑ Storage account should use a private link connection.
✑ Storage account public access should be disallowed.
You need to recommend a service to mitigate identified risks that relate to the recommendations.
What should you recommend?

A. Azure Policy
B. Azure Network Watcher
C. Azure Storage Analytics
D. Microsoft Sentinel
A

A. Azure Policy

17
Q

Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?

A. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
B. From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector.
C. From Defender for Cloud, review the Azure security baseline for audit report.
D. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
A

A. From Azure Policy, assign a built-in initiative that has a scope of the subscription.

18
Q

You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.
What should you use?

A. Azure Policy
B. Azure Blueprints
C. the regulatory compliance dashboard in Defender for Cloud
D. Azure role-based access control (Azure RBAC)
A

A. Azure Policy

19
Q

You are evaluating an Azure environment for compliance.
You need to design an Azure Policy implementation that can be used to evaluate compliance without changing any resources.
Which effect should you use in Azure Policy?

A. Deny
B. Modify
C. Append
D. Disabled
A

D. Disabled

20
Q

Your company has a hybrid cloud infrastructure.
Data and applications are moved regularly between cloud environments.
The company’s on-premises network is managed as shown in the following exhibit.

On-premise: Azure
Windows Server Azure Monitor, Azure Policy,
Linux Server Azure Update Management

You are designing security operations to support the hybrid cloud infrastructure. The solution must meet the following requirements:
✑ Govern virtual machines and servers across multiple environments.
✑ Enforce standards for all the resources across all the environments by using Azure Policy.
Which two components should you recommend for the on-premises network? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. on-premises data gateway
B. Azure VPN Gateway
C. guest configuration in Azure Policy
D. Azure Arc
E. Azure Bastion
A

C. guest configuration in Azure Policy
D. Azure Arc

21
Q

Your company has an office in Seattle.
The company has two Azure virtual machine scale sets hosted on different virtual networks.
The company plans to contract developers in India.
You need to recommend a solution provide the developers with the ability to connect to the virtual machines over SSL from the Azure portal. The solution must meet the following requirements:
✑ Prevent exposing the public IP addresses of the virtual machines.
✑ Provide the ability to connect without using a VPN.
✑ Minimize costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create a hub and spoke network by using virtual network peering.
B. Deploy Azure Bastion to each virtual network.
C. Deploy Azure Bastion to one virtual network.
D. Create NAT rules and network rules in Azure Firewall.
E. Enable just-in-time VM access on the virtual machines.
A

A. Create a hub and spoke network by using virtual network peering.
C. Deploy Azure Bastion to one virtual network.

22
Q

You have an Azure subscription that contains virtual machines.
Port 3389 and port 22 are disabled for outside access.
You need to design a solution to provide administrators with secure remote access to the virtual machines. The solution must meet the following requirements:
✑ Prevent the need to enable ports 3389 and 22 from the internet.
✑ Only provide permission to connect the virtual machines when required.
✑ Ensure that administrators use the Azure portal to connect to the virtual machines.
Which two actions should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Configure Azure VPN Gateway.
B. Enable Just Enough Administration (JEA).
C. Configure Azure Bastion.
D. Enable just-in-time (JIT) VM access.
E. Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors.
A

C. Configure Azure Bastion.
D. Enable just-in-time (JIT) VM access.

23
Q

Your company plans to move all on-premises virtual machines to Azure.
A network engineer proposes the Azure virtual network design shown in the following table.

Virtual network name; Description; Peering connection:
Hub VNet; Linux and Windows virtual machines; VNet1, VNet2
VNet1; Windows virtual machines; Hub VNet
VNet2; Linux virtual machines; Hub VNet
VNet3; Windows virtual machine scale sets; VNet4
VNet4; Linux virtual machin scale sets; VNet3

You need to recommend an Azure Bastion deployment to provide secure remote access to all the virtual machines.
Based on the virtual network design, how many Azure Bastion subnets are required?

A. 1
B. 2
C. 3
D. 4
E. 5
A

B. 2

24
Q

You are a security administrator of Microsoft 365. You implement Microsoft Defender for identity.
You have created several test accounts with specific configurations for the purpose of vulnerability testing.
When attackers try to exploit these accounts, you would like to be alerted to see what areas in the configuration needs improvements.
What features in Microsoft Defender for Identity can you use to meet your objective?

A. Sensitivity labels
B. System user tags
C. Confidential label
D. Honeytoken entity tags
A

D. Honeytoken entity tags

25
Q

You have an Azure subscription that has Microsoft Defender for Cloud enabled.
Suspicious authentication activity alerts have been appearing in the Workload protections dashboard.
You need to recommend a solution to evaluate and remediate the alerts by using workflow automation. The solution must minimize development effort.
What should you include in the recommendation?

A. Azure Monitor webhooks
B. Azure Event Hubs
C. Azure Functions apps
D. Azure Logics Apps
A

D. Azure Logics Apps

26
Q

You are in charge of the security operation center team. You recently implemented Microsoft Sentinel. The members of the security operation center team have requested the creation of a dashboard with custom views focused on security alerts that is critical to the security of the Azure and Microsoft 365 environment.
What feature in Microsoft Sentinel can accomplish this objective?

A. Notebooks
B. Playbooks
C. Workbooks
D. Microsoft Defender for Cloud
A

C. Workbooks

27
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend enabling the VMAccess extension on all virtual machines.
Does this meet the goal?

A. Yes
B. No
A

B. No

28
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend enabling adaptive network hardening.
Does this meet the goal?

A. Yes
B. No
A

A. Yes

29
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend enabling just-in-time (JIT) VM access on all virtual machines.
Does this meet the goal?

A. Yes
B. No
A

A. Yes

30
Q

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend onboarding all virtual machines to Microsoft Defender for Endpoint.
Does this meet the goal?

A. Yes
B. No
A

B. No

sc-100 (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions