Security Governance Flashcards
what are the three major components of the big picture of security architecture beyond cybersecurity? [2.1]
governance, risk, and compliance. governance involves monitoring, auditing, and reporting on security. risk involves identifying, classifying, and mitigating risks (internal, external or unintentional). compliance deals with managing adherence to industry, government, or regulatory requirements
what is azure policy and how does it help in governance? [2.1]
azure policy is a tool for enforcing business rules and assessing compliance with those standards. it allows for the use of both existing microsoft policies and custom policy definitions to ensure compliance with regulatory, cost, or any other required standards. it can also bundle multiple policies into initiatives for large-scale assignment
where can azure policies be applied, and what is recommended for applying them at scale? [2.1]
azure policies can be applied at mgmt groups, subscriptions, resource groups and individual resources. for applying policies at scale, it is recommended to use management groups
what is the relationship between azure policy and azure landing zones? [2.1]
azure policy, when used in conjunction with mgmt groups, is a key building block for azure landing zones, which allow the deployment of secure and scalable azure infrastructure
how does azure policy integrate with ms defender for cloud? [2.1]
azure policy powers large parts of microsoft defender for cloud, enabling security and compliance across cloud resources by enforcing and auditing compliance with security standards
what are the four key times azure policy will be evaluated? [2.1]
- when the policy is first assigned to a scope
- when a resource within the scope is created or updated
- when the policy or initiative itself is updated
- every 24 hours as part of an automatic evaluation cycle
what is the significance of the “effect” property in an azure policy definition? [2.1]
the effect defines what happens when a resource does not meet policy conditions. effects can include deny (blocking changes), append or modify (changing or adding required elements), audit (logging non-compliance), and DeployIfNotExists or Modify (remediation actions)
what is the difference between append and deny effects in azure policy? [2.1]
append allows azure policy to add missing elements, such as required tags, to bring a resource into compliance during deployment. deny blocks the creation or update of a resource if it does not comply disrupting the workflow
what is remediation in azure policy and how is it achieved? [2.1]
remediation is the process of bringing non-compliant resources into compliance. this can be done manually or automatically through remediation tasks, which use a managed identity to authorize and apply changes defined by deployifnotexists or modify effects
how is authorization for remediation tasks provided in azure policy? [2.1]
authorization for remediation tasks is provided through a managed identity that is associated with the policy assignment. this managed identity can have multiple roles as needed to apply the required changes
what is the basic structure of an azure policy definition? [2.1]
- a display name and description
- a mode (all or indexed)
- parameters for reusability across different scenarios
- rules that define conditions for the policy
- effects that define actions when conditions are met
what roles are required for creating and assigning policies in azure? [2.1]
the least privileged role for creating and assigning policies is the resource policy contributor. other roles that can assign policies include security admin and owner
what happens when a policy blocks an action allowed by azure rbac? [2.1]
azure policy takes precendece over azure rbac. if a policy denies an action that azure rbac allows, the action will be blocked by the policy
what is the difference between exclusions and exemptions in azure policy? [2.1]
exclusions remove resources from policy evaluation, making them invisible to compliance results. exemptions allow non-compliant resources to be excluded from enforcement while still appearing in compliance results with recorded reasons for their exemption
what is the purpose of azure blueprints in deploying secure infrastructures? [2.4]
azure blueprints enable cloud architects to define a repeatable set of azure resources that adhere to required standards and security patterns. they package together components like resource groups, policy assignments, role assignments, and ARM templates. these blueprints simplify the deployment process across multiple environments (e.g. separate subscriptions for different clients) by allowing architects to create a blueprint once and deploy it repeatedly. in scenarios where an organization has predefined security requirements or compliance standards, blueprints ensure every deployment follows these guidelines consistently
explain the lifecycle of a blueprint and the role of versioning in azure blueprints? [2.4]
the lifecycle begins with the creation of a blueprint definition. once defined, the blueprint can be saved to a location in the azure management hierarchy (such as management group or subscription). after the blueprint is created and saved, it is published with a version (e.g. version 1) allowing it to be assigned to a target environment. versioning is critical when changes are needed: architects can update the blueprint, publish a new version, and assign the updated blueprint, deploying modified or additional resources as required. this ensures that infrastructure changes are controlled, tracked and consistent across environments. in practice, this would allow iterative improvements to infrastructure without disrupting existing deployments
what are the components (artifacts) that make up an azure blueprint and why are they important? [2.4]
the main artifacts in a blueprint are resource groups, policy assignments, role assignments, and arm templates. these components define the infrastructure, security policies, and access controls that need to be applied.
resource groups: organize resources for a clear structure and management
policy assignments: ensure compliance with security policies (e.g. disabling public blob access)
role assignments: define who has access to what within the deployment
arm templates: allow for detailed and customizable resource deployments (e.g. deploying a storage account)
why is the definition location of a blueprint important, and what impact does it have on deployments? [2.4]
the definition location determines where the blueprint is stored and, more importantly, where it can be deployed. for example, if a blueprint is saved to a management group above multiple subscriptions, it can be deployed across those subscriptions. this is particularly useful for organizations managing multiple environments under different subscriptions, such as global businesses with region-specific deployments. by saving a blueprint at a higher level in the management hierarchy, architects ensure they can deploy that blueprint consistently across multiple subscriptions without duplicating effort
what is the role of a managed identity in deploying a blueprint, and why is it essential? [2.4]
a managed identity is required for deploying the resources defined in a blueprint. the managed identity needs to have the necessary privileges to create or modify those resources. when a blueprint is assigned, it uses this identity to execute the deployment process securely. without an appropriate managed identity, the blueprint would not have the necessary permissions to carry out tasks like creating a storage account or enforcing policy assignments, which could cause deployment failures. in scenarios like multi-client environments, ensuring the correct privileges are assigned is key to maintaining secure and compliant deployments
what is a lock in azure blueprints, and how does it differ from resource locks? [2.4]
when assigning a blueprint, you can apply a lock that creates an azure role-based access control deny assignment. this lock restricts changes to the deployed resources, even if a user has administrative permissions. this is different from a standard resource lock, which prevents users from modifying or deleting individual resources. in contrast, a blueprint lock denies all changes, preventing the modification of the entire deployment structure. this feature is particularly valuable when managing environments where strict governance is required, such as in finance or healthcare, where unauthorized changes to infrastructure could lead to compliance violations
how does versioning and assignment of blueprints allow for flexibility in managing azure resources? [2.4]
versioning in blueprints allows for the controlled evolution of infrastructure. if updates or changes are needed, a new version of the blueprint can be created and assigned, ensuring that updates to resources are rolled out in a managed, traceable manner.
what is microsoft defender for cloud used for? [2.5]
service used to secure cloud-based applications and data. it provides protection throughout a workload’s lifecycle, from pre-deployment to post-deployment.
what are the stages of a workload lifecycle in azure? [2.5]
the lifecycle includes pre-deployment (as code or software), deployment (to azure, on-prem, or other clouds), and post-deployment, where users generate and store data
what does infrastructure as code (IaC) refer to in cloud deployment? [2.5]
iac is code that represents infrastructure (e.g. virtual machines, networks) or the code that powers application functions, allowing infrastructure to be managed and provisioned through software
how does microsoft defender for cloud protect workloads before deployment? [2.5]
defender for devops analyzes code pre-deployment, allowing security teams to detect and fix issues before they can affect the environment. this includes infrastructure as code (iac) and other application resources.
what happens if a workload doesn’t start as a code? how is it protected post-deployment? [2.5]
for non-code workloads, microsoft defender for cloud provides security recommendations, ensuring that both organizational and government standards are met
what is cloud security posture management (CSPM) in azure? [2.5]
cspm in azure helps manage security compliance and ongoing reporting for workloads, even preventing non-compliant workloads from being deployed. it works across multiple clouds
what are the two levels of protection offered by microsoft defender for cloud? [2.5]
the foundational level, enabled for free, provides continous assessment and security recommendations. the advanced level, available through the defender cspm plan, offers more features like governance, regulatory compliance, and attack path analysis
what feature does the foundational level of microsoft defender for cloud provide? [2.5]
it includes continous discovery, assessment against security benchmarks, compliance with the microsoft cloud security benchmark, security recommendations and an overall secure score
what are the key features of the defender CSPM plan? [2.5]
- governance to assign responsibility and deadlines for security tasks
- regulatory compliance dashboards and reports
- cloud security explorer for querying security issues across cloudds
- attack path analysis to prioritize security issues with the highest risk
what is the microsoft cloud security benchmark? [2.5]
it’s a set of best practices and recommendations to improve the security of workloads on azure, aws, and google cloud. it integrates controls from the cloud adoption framework, zero trust principles, and regulatory frameworks like pci, cis and nist
how can organizations create custom security initiatives in microsoft defender for cloud? [2.5]
organizations can create custom security initiatives for their unique contractual or legal obligations, and these initiatives are surfaced along with the microsoft cloud security benchmark recommendations in the dashboard
what is the secure score in microsoft defender for cloud? [2.5]
the secure score is a percentage that reflects how compliant your resources are with the recommendations of the microsoft cloud security benchmark. it helps prioritize security improvements
how does microsoft defender for cloud measure compliance? [2.5]
compliance is measured through security policies (which define security controls) and security initiatives (which group policies together). policies are assigned to management groups or subscriptions and measured against the cloud security benchmark
how are security policies and initiatives in microsoft defender for cloud powered? [2.5]
security policies and initiatives in defender for cloud are powered by azure policy definitions. initiatives group multiple policies and can be customized based on organizational or regulatory requirements
what’s required to use the regulatory compliance features in microsoft defender for cloud? [2.5]
to use regulatory compliance features, you need to enable a defender plan. this allows you to track compliance against benchmarks like pci, cis and nist through dashboards and reports
at what levels can security initiatives be applied in microsoft defender for cloud? [2.5]
security initiatives can be applied at the subscription or management group level but not at the resource group or individual resource level
why would you need to create custom security initiatives in microsoft defender for cloud? [2.7]
to meet unique requirements: industry or regulatory standards not covered by built-in policies like GDPR
internal organizational policies: ensuring adherence to internal security practices
contractual obligations: proving compliance to customers to secure contracts and verify adherence to promises about security measures
where can you track compliance with custom security initiatives in microsoft defender for cloud? [2.7]
regulatory compliance dashboard: view your custom initiatives alongside other regulatory and built-in standards
recommendations panel: custom initiatives will show up with specific compliance recommendations based on their assigned policies
what are the three key parts of managing custom security initiatives in microsoft defender for cloud? [2.7]
defining the initiative: requires roles like resource policy contributor, security admin or owner
assigning the initiative: must assign at the subscription or management group level for defender for cloud to recognize it
managing compliance: use roles like security reader (view compliance) or contributor (apply fixes)
which azure roles are involved in the creation, assignment, and remediation of custom security initiatives? [2.7]
resource policy contributor: least-priviliged role for creating and designing initiatives
security admin: can exempt security recommendations and review compliance
contributor: has permissions to remediate security issues and apply fixes
at which level can you assign custom security initiatives? [2.7]
custom security initiatives must be assigned at the subscription or management group level to be effective. assigning at resource group or individual resource level is not supported
what is the process for creating custom security initiative in microsoft defender for cloud? [2.7]
go to microsoft defender for cloud > navigate to environment settings > select a management group or subscription > select a mgmt group or sub > define the initiative, using built-in policies or custom policies > assign the initiative to the appropriate scope (mgmt group or sub)
why is assigning a higher scope better when defining custom initiatives? [2.7]
assigning an initiative at a higher scope (like the root mgmt group) ensures that the initiative can be applied across all mgmt groups or subscriptions under that scope maximizing coverage
how can you organize policies within a custom initiative? [2.7]
you can organize policies into controls, which act as groupings within an initiative. parameters allow customization of individual policies or the entire initiative
where can you review compliance status for custom security initiatives once they are applied? [2.7]
the regulatory compliance dashboard or the recommendations panel within microsoft defender for cloud
what is the significance or the resource policy contributor role in custom security initiatives? [2.7]
the least privileged role that can be used to create and design custom security initiatives. it doesn’t have permissions to remediate or apply fixes
what is the key benefit of using custom security initiatives in microsoft defender for cloud? [2.7]
they allow organizations to measure and report on compliance for specific requirements, such as custom regulatory standards (e.g. gdpr) or internal security policies not covered by built-in initiatives
what are the main challenges in securing multi-cloud environments? [2.8]
- workload distribution: workloads are spread across different platforms like AWS, azure, google cloud, and on-prem, making governance and security management more complex
- public endpoints: some workloads have public-facing endpoints, which could be intentionally or unintentionally exposed, increasing security risk
- unknown risks: unintentional exposure through misconfigurations poses significant security risks thats are often hard to track without proper tools
what is the purpose of microsoft defender external attack surface management (EASM)? [2.8]
discovery & mapping: automatically discovers and maps public endpoints of an organization’s infrastructure, identifying external risks
risk reduction: reduces the risk of exposure by monitoring public-facing assets and mitigating unknown or misconfigured endpoints
integration: integrates with ms defender for cloud to provide holistic protection across multi-cloud environments
how does microsoft defender for cloud’s cloud security posture management help secure multi-cloud environments? [2.8]
multi-cloud support: cloud security posture management helps manage security and compliance for workloads on azure, aws, google cloud, github and azure devops
compliance: it ensures that workloads meet industry compliance standards by running assessments similar to those used for azure
security posture evaluation: evaluates security posture from the inside out (azure, aws, gcp) by continuously monitoring for vulnerabilities and misconfigurations
what is required to set up microsoft defender for cloud’s cloud security posture management for aws? [2.8]
- azure subscription: you need an azure subscription with defender for cloud enabled
- resource group: a resource group in azure will be used to store the aws connector object
- aws account: you’ll need an aws account or management account with administrative permissions to onboard aws accounts
- deployment: the aws connector can be deployed using cloudformation or terraform to manage the integration
what are the two levels of protection offered by microsoft defender for cloud’s cloud security posture management and how do they differ? [2.8]
foundational cloud security posture management plan: provides basic visibility into the security posture of your azure environment, includes security assessments and security recommendations, monitors your environment for compliance with security benchmarks (e.g. azure security benchmark), focuses on misconfigurations and security hygiene, alerts you about potential vulnerabilities, but does not include active protection or automation
defender cloud security posture management (advanced): builds on foundational cloud security posture management by adding advanced protection capabilities, includes threat detection with ai-powered analysis and machine learning, provides automated remediation of security issues (e.g. fixing configuration issues), offers asset inventory with more granular insight and cloud workload protection, monitors azure-native workloads and third-party services running within azure, proactive defense with advanced security alerts and integration with microsoft sentinel for extended threat detection
what is required to set up microsoft defender for cloud’s cloud security posture management for google cloud? [2.8]
- azure subscription: just like aws, you need an azure subscription with defender for cloud enabled
- resource group: a resource group in azure will be used for the connector object
- gcp project: you’ll need access to a google cloud project or organization with owner privileges
- the deployment to gcp can be done using gcp cloud shell or terraform
how does microsoft defender external attack surface management help discover an organization’s external attack surface? [2.8]
- seed data: external attack surface management uses an initial seed of data such as domains, hostnames, or ip addresses to discover external assets
- automated discovery: it continuously discovers and maps external assets, even those not directly owned but associated with the organization
- analysis: provides detailed information about discovered assets, including open ports, vulnerabilities, services, and ssl certificates
what steps are involved in reviewing compliance results after setting up cloud security posture management in microsoft defender for cloud? [2.8]
- navigate to environment settings: go to environment settings in defender for cloud
- select standards: select the connected cloud environment (e.g aws or gcp) and review the enabled standards (e.g. aws foundational security best practices, microsoft cloud security benchmark)
- review secure score: check the secure score of the environment and take action on the security recommendations provided
what is the purpose of microsoft defender for cloud workload protection? [2.9]
cloud workload protection provides internal, work-load specific security controls to enhance the protection of your workloads beyond external monitoring. this deeper view allows for recommendations tailored to the specific needs of the workload, improving the overall security posture
which workloads can be protected by microsoft defender for servers? [2.9]
- aws and linux machines in azure, aws, google cloud and on-prem environments
- it integrates with microsoft defender for endpoint to provide features like endpoint detection and response (edr) and other threat protection capabilities
what are the key capabilities of microsoft defender for storage? [2.9]
activity monitoring and virus protection for azure blob storage and azure data lake storage (standard and premium tiers), sensitive data protection for files
NB does not support version 1 storage accounts or data in queues or tables
which database services can be protected by microsoft defender for databases? [2.9]
defender for databases protects: azure sql database (including sql managed instance, single database, elastic pools), ms sql server running on VMs (azure, aws, google cloud, on prem), open source databases like postgres, my sql, mariadb (in azure paas services, azure cosmos db (noSQL only)
what workloads are covered by microsoft defender for containers? [2.9]
azure kubernetes service (AKS) and azure container registry (ACR), in other clouds it supports amazon eks, aws elastic container registry, google kubernetes engine (gke) and arc-enabled kubernetes workloads on-prem or anywhere else
what are some of the native azure workloads supported by defender for cloud? [2.9]
azure app service, azure keyvault, azure dns, azure resource manager, APIs
what are the two plans offered by microsoft defender for servers, and what are the main differences between them? [2.9]
plan 1: entry-level plan with integration with microsoft defender for endpoint, includes defender for endpoint licenses and automatic provisioning.
plan 2: advanced plan offering additional capabilities such as: adaptive application controls (allow listing of safe applications), qualys vulnerability scanner for alternative vulnerability assessment, file integrity monitoring to detect changes in files/registries that could indicate an attack
what additional requirements are needed to support features in microsoft defender for servers? [2.9]
- log analytics workspace (can be automatically or manually deployed)
- agents deployed to VMs (requirements vary by OS and VM environment)
- supported windows versions include windows server 2008-r2 and up, along wit rcent linux distributions
what are the two configurations for microsoft defender for sql and how do they differ? [2.9]
express configurations: supports azure sql database and azure synapse dedicated sql pools. can be enabled at the subscription or server level
- classic configuration: supports azure sql database, azure sql managed instance, and azure synapse analytics. requires a storage account to store vulnerability scans and can be enabled at the subscription, server or database level
how is microsoft defender for open-source relational databases enabled, and which databases are supported? [2.9]
defender for open-source relational databases is enabled at the resource level only. it supports all current azure platform-as-a-service offerings like postgres, mysql, and mariadb. scan results are sent directly to defender for cloud, without needing additional storage
what is the scope of protection for microsoft defender for cosmos db? [2.9]
microsoft defender for cosmos db protects azure cosmos db for nosql databases. other APIs such as mongodb and apache cassandra are not supported
what is the purpose of cloud security posture management? [2.10]
provides security recommendations based on your chosen initiatives. these recommendations are generated when a policy is compared to your resources and finds non-compliant configurations. they help improve your security posture by identifying areas that need remediation or adjustment
what options are available when a security recommendation is generated in microsoft defender for cloud? [2.10]
- disable the policy (if the recommendation will never apply to your business)
- create an exemption (if the recommendation is not relevant, and you want to record why it’s not applicable
- manually remediate (steps are provided to manually fix the issue)
- quick fix (some recommendations have an automated quick fix option)
- deny or enforce via azure policy (deny prevents future non-compliant resources, while enforce ensures compliance by using a “deploy if not exists” policy
when should you create an exemption for a recommendation? [2.10]
an exemption is created when a recommendation isn’t applicable to your organization, and you want to record that decision. it can be applied to a resource, subscription or management group, indicating that you either accept the risk or that the risk is mitigated by another security control that defender for cloud may not be aware of
what are the different responses to security alerts in microsoft defender for cloud? [2.10]
- inspect the resource in context (view activity logs related to the alert)
- manual remediation (follow the steps provided to mitigate the threat)
- prevent future attacks (use security recommendations to reduce the attack surface)
- automated response (trigger a logic app to respond to the alert)
- suppress similar alerts (suppress future alerts with similar characteristics if they are false positives or trigger too frequently)
what roles are required to manage security recommendations and alerts in microsoft defender for cloud? [2.10]
- security admin (can update security policies, dismiss alerts, manage suppression rules, and automate responses)
- owner or resource policy contributor (required to create exemptions for resources and recommendations)
- sql security manager (can manage alerts related to sql resources)
- logic app operator (can trigger existing logic apps for automation)
- logic app contributor (can create new logic apps in response to recommendations and alerts)
what is the difference between the ‘deny’ and ‘enforce’ actions in azure policy when managing non-compliant resources? [2.10]
deny: prevents non-compliant resources from being deployed by blocking the deployment altogether
enforce: uses the ‘deploy if not exists’ action to automatically bring the resource into compliance during deployment
how can logic apps be used in response to security recommendations or alerts? [2.10]
logic apps can automate responses to recommendations or alerts. for example, you can configure a logic app to automatically apply security controls, such as adding a default nsg to a virtual machine’s subnet to block management ports. workflow automation can be set up to trigger this logic app whenever the same recommendation appears
how can workflow automation be used to automatically remediate security recommendations? [2.10]
allows you to automatically remediate issues by triggering a logic app whenever a recommendation appears. for example, if a recommendation to close management ports is generated, workflow autoamtion can ensure that a logic app is triggered to block the ports automatically, removing the need for manual intervention each time
why is monitoring critical in azure’s modern security architecture? [3.1]
monitoring is essential because traditional security focused solely on preventing breaches, while modern security assumes breaches may occur. this shift emphasizes monitoring to detect, analyze, and respond to threats proactively, helping mitigate potential damage rather than just blocking attacks
how does the concept of “assume breach” affect security monitoring? [3.1]
in an “assume breach” mindset, systems treat all users, workloads and networks as potential threats, whether inside or outside the firewall. this approach requires constant monitoring to identify and manage risks across all areas instead of solely focusing on prevention
what role does data collection play in effective threat response? [3.1]
data collection provides security teams with relevant, up-to-date threat information, enabling them to detect and analyze threats accurately. this centralized monitoring data can then generate actionable alerts and insights for fast, informed responses
what are the primary microsoft tools used for monitoring and security in azure? [3.1]
key tools include microsoft defender for cloud, azure monitor, and microsoft sentinel. each plays a unique role in monitoring, protecting, and analyzing security data within azure
what is a log analytics workspace in azure, and why is it essential for monitoring? [3.1]
a LAW is the central repository where azure stores all monitoring data. services like microsoft sentinel, defender for cloud, and azure monitor rely on this workspace to store, query, and analyze data from various resources for security insights
explain the two types of permissions available for a log analytics workspace [3.1]
workspace context permissions allow users access to all data in the workspace, while resource context permissions restrict based on the resources a user has permissions for, helping provide least-privilege access while maintaining centralized data
what types of monitoring data are commonly collected and stored in azure monitor? [3.1]
azure monitor stores metrics (numerical system data like cpu usage), log (system events with timestamps), changes (records of changes made), traces (request paths through services)
describe the purpose of azure monitor workbooks and dashboards? [3.1]
visual tools that help security teams analyze monitoring data, making it easier to interpret and respond to security incidents through data visualization
how does azure monitor collect data from applications and compute workloads? [3.1]
application insights can collect application data using the sdk or codeless solutions. for compute resources like virtual machines and containers, azure monitor agents and data collection rules specify what data to collect
what are the default retention periods for data stored in a log analytics workspace? [3.1]
by default, data in LAW is retained for 31 days at no additional cost. with microsoft sentinel, this increases to 90 days. retention can be extended up to 730 days, with archived data options allowing up to seven years
how can azure ensure compliance with tamper-proof data retention? [3.1]
data in a LAW is tamper-proof but deletable. to meet immutability requirements, data can be stored in azure storage with immutability configurations, providing tamper-resistant and undeletable log storage
when might an organization use azure event hubs in conjunction with azure monitor? [3.1]
organizations can use azure event hubs to send monitoring data to third party systems for extended analysis, enabling data integration across multiple platforms as it flows through the azure monitor pipeline
what advantages does centralizing monitoring data offer to security teams? [3.1]
centralizing data in a single LAW allows teams to analyze it more efficiently, ensuring rapid threat detection, relevant alerting and an overview of security events across the entire azure environment
what is the importance of metrics, logs and change analysis in monitoring? [3.1]
metrics provide real-time state information (e.g. CPU usage), logs track historical events, and change analysis identifies system modifications that might indicate compromise, providing a complete picture for threat analysis
summarize the main benefits of using resource context permissions in log analytics workspaces [3.1]
resource context permissions enable workload teams to access only the data relevant to their resources while maintaining centralized monitoring, supporting security through least privileged access
what is the purpose of a log analytics workspace in azure monitoring? [3.2]
a LAW acts as the central repository for monitoring data in azure. it collects and stores various logs and metrics across resources for analysis and insight
how many log analytics workspaces are recommended and why? [3.2]
it is recommended to have a single log analytics workspace, if feasible, to simplify data management and centralize monitoring. this minimizes administrative overhead and consolidates data for a unified view
what permissions are needed to create a log analytics workspace? [3.2]
to create a LAW, you need either the log analytics contributor role or higher, like the contributor role at the resource group level. the log analytics contributor can configure monitoring settings, install virtual machine extensions for data collection and configure diagnostic settings across resources
what access does the log analytics reader role provide? [3.2]
the log analytics reader role provides read-only access to the LAW, enabling users to view data without making modifications. additionally, some microsoft sentinel roles may include permissions to access the workspace
describe the hierarchy of monitoring data collection in azure [3.2]
top level: azure active directory tenant, where tenant logs can be collected
next level: azure subscriptions, where activity logs and diagnostic settings for resource groups are configured
bottom levels: resource groups and individual resources, where control plane logs and data plane logs (also called resource logs) are collected
what are the diagnostic settings for an azure ad tenant used for? [3.2]
diagnostic settings for an azure ad tenant allow you to send various logs (e.g., sign-in and audit logs) to a log analytics workspace, storage account, or event hubs for centralized data storage and analysis
how does log collection differ between control plane logs and data plane (resource) logs? [3.2]
control plane logs: record operations that manage azure resources, such as creating or deleting resources and are collected by configuring subscription-level activity logs
data plane (resource) logs: record operations within a specific resource, like accessing data in a storage account. these require individual diagnostic per service, as seen in resource-specific operations like those within azure storage
how can logs be configured for different services within a single azure resource, like a storage account? [3.2]
logs for different services (such as blobs, tables and queues in a storage account) can be individually configured by setting diagnostic settings for each service. this allows granular control over which data is collected for each service type within a resource
what is the azure monitor agent, and why is it essential? [3.2]
the azure monitor agent is a required component for collecting monitoring data from VMs in azure or other environments. it gathers system and application logs and is the recommended agent for moving forward, as microsoft plans to phase out older agents
how are data collection rules (DCRs) used with the azure monitor agent? [3.2]
data collection rules define which logs and metrics are collected by the azure monitor agent. dcrs can filter and transform data before sending it to a LAW, allowing precise control over the data collected from VMs and other resources
how is application insights used in azure monitoring? [3.2]
application insights collects detailed application logs regardless of the hosting environment (whether on a vm or in a PaaS). it offers deep insights into application performance and behavior by gathering telemetry data from applications
what is a current change in diagnostic settings related to data collection rules in azure? [3.2]
microsoft is planning to transition diagnostic settings entirely to data collection rules (DCRs). however, as of now, data collection rules are only required for the azure monitor agent, while diagnostic settings can still function independently for other resources
what are the steps to deploy a log analytics workspace in azure? [3.2]
- search for “log analytics workspace” in the azure portal
- select a sub, resource group and region
- set a name (e.g. logmgmt) and review settings
- click create and wait for the deployment to complete
how are azure ad logs configured to send to a log analytics workspace? [3.2]
navigate to the azure active directory, select “diagnostic settings” under monitoring, and add a diagnostic setting. choose logs to send (like audit logs) and specify the LAW as the destination
what should be remembered about the log analytics contributor role in azure monitoring? [3.2]
the log analytics contributor role enables users to deploy and configure a LAW and set up monitoring across azure resources. this includes configuring diagnostic settings and virtual machine extensions necessary for log collection
what is required for collecting logs from an on-prem server or a server in another cloud provider? [3.2]
to collect logs from servers outside azure, the azure monitor agent must be installed on the server. additionally, a data collection rule should be configured to specify which logs to collect and where to send them within the log analytics workspace
what is microsoft sentinel and what are its primary functions? [3.4]
microsoft sentinel is a cloud-native tool by microsoft that serves as both SIEM and SOAR platform. its primary functions include collecting log data, identifying unusual behaviours in real-time, and helping security teams respond to cybersecurity events quickly and efficiently. siem provides visibility and compliance support, while soar prioritizes alerts and automates responses
why is siem important and how does it support cybesecurity efforts? [3.4]
siem collects log data from multiple soources, monitors for unusual behaviours, and enables security teams to respond to events in real time. this visibility helps teams meet compliance requirements and quickly address security incidents, forming a foundational element for cybersecurity operations
how does soar enhance the capabilities of siem? [3.4]
soar adds organization and prioritization to alerts generated by siem. it can automate responses to security threats, streamlining and speeding up the resolution of critical events, thus reducing response time and minimizing potential impacts on the organization
where does sentinel store the security events it collects? [3.4]
sentinel uses a log analytics workspace as the repository for all security events. event data from various sources is stored in this workspace for analysis. this workspace can be called a sentinel workspace when it is onboarded to sentinel
what data sources can sentinel integrate with to collect security data? [3.4]
sentinel can integrate with sources like microsoft defender for cloud, azure active directory, vm, network services and applications. data connectors are used to link these sources to the log analytics workspace where sentinel can access and analyze them
what are the analytics rules in sentinel, and what is their role in managing security? [3.4]
analytics rules in sentinel detect and manage security threats by grouping alerts into incidents, which helps in logically organizing and prioritizing security events. users can also customise these rules to align with specific security needs
how does sentinel’s soar functionality help automate incident responses? [3.4]
sentinel’s soar capabilities use playbooks, powered by azure logic apps, to create automated workflows for incident response. this automation allows faster handling of incidents and helps maintain efficient security operations
what features does sentinel offer for threat investigation and security hunting? [3.4]
sentinel includes tools for investigating security threats and hunting for potential risks proactively. users can access and configure these tools through the content hub, where various security solutions and community resources are available
how does sentinel support devsecops practices in termsof content management? [3.4]
sentinel integrates with both github and azure devops, allowing organizations to manage and deploy content such as workbooks, analytics rules, and playbooks from a git-based repository. this facilitates automation and consistency in security practices through version control and collaborative content management
what role is needed to manage and install content from sentinel’s content hub? [3.4]
the template spec contributor role or a more privileged role, is required to manage and install content from the content hub in microsoft sentinel
what is the least privileged role that can view microsoft sentinel data and resources? [3.4]
the microsoft sentinel reader role is the least privilege role that grants viewing access to sentinel data and resources
which role is the least privileged that allows managing incidents in sentinel? [3.4]
the microsoft sentinel responder role is the least privileged role capable of managing incidents within sentinel
what permissions does the microsoft sentinel contributor role provide? [3.4]
allows the creation and editing of sentinel resources, including analytics rules and workbooks, making it a more privileged role for users responsible for configuring sentinel
what role is required to create and edit sentinel’s playbooks, and what permissions does it grant? [3.4]
the logic app contributor role is the least privileged role required to create and edit playbooks, which are essential for automated responses in sentinel. for viewing and running playbooks, the microsoft sentinel playbook operator role is needed
what is essential to remember about enabling microsoft sentinel on log analytics workspace? [3.4]
microsoft sentinel must be enabled on a LAW, which serves as the repository for all collected data. data connectors are set up to bring data from various sources into this workspace for sentinel to analyze
how do analytics rules and playbooks function within sentinel’s siem and soar capabilities? [3.4]
analytics rules are used within sentinel’s siem capabilities to detect threats and organize them into incidents. playbooks, powered by azure logic apps, facilitate the soar functionality by automating workflows in response to security incidents, ensuring efficient incident handling
what role is required to manage playbooks, and what role is needed for viewing and executing them? [3.4]
to manage playbooks, users need the logic apps contributor role or a higher-level permission. for viewing and executing playbooks, the microsoft sentinel playbook operator role is required
why might more experienced security engineers need multiple roles in sentinel? [3.4]
experienced security engineers might need the microsoft sentinel contributor, logic apps contributor, and template spec contributor roles to manage comprehensive sentinel functions, including resource creation, automation and content hub managemt
what is the purpose of data connectors in microsoft sentinel? [3.5]
data connectors in microsoft sentinel allow ingestion of log and event data from various sources, such as applications, network appliances, and other systems, into sentinel for analysis and monitoring.
name some sources from which microsoft sentinel can collect data[3.5]
microsoft sentinel can collect data from services like microsoft defender for cloud, microsoft 365, azure active directory, and third-party services like AWS, as well as network appliances and linux-based machines
what are the main types of data connections used in microsoft sentinel? [3.5]
the main types include direct service-to-service connections (such as microsoft and AWS), syslog format, common event format (cef) and custom connections through rest APIs
how does a service-to-service connection work in sentinel? [3.5]
in a service-to-service connection, data is sent directly from the service (e.g. ms365, or aws) to microsoft sentinel in real time, providing instant data ingestion
what is the syslog format and which devices commonly use it? [3.5]
syslog is an industry-standard format for logging information, commonly used on linux and network devices. it allows devices to send log data in a consistent structure that can be ingested by systems like microsoft sentinel
what is the common event format (cef) and when is it used? [3.5]
cef is another industry standard log format, often providing more detailed logs than syslog. it is supported by sentinel and is typically used on linux-based machines and network devices
how does sentinel collect syslog and cef logs from linux-based machines? [3.5]
for linux-based machines, sentinel collects syslog and cef logs using the azure monitor agent, which is deployed on the machine to handle data ingestion directly into sentinel
why might an organization enable both syslog and cef on the same device? [3.5]
enabling both syslog and cef can provide more comprehensive logging. however, it may result in duplicate logs within the log analytics workspace
what is a forwarder, and why is it used in data collection? [3.5]
a forwarder is a linux machine with the azure monitor agent that forwards syslog or cef logs to sentinel. it is useful for network appliances where direct agent deployment is not feasible, such as firewalls, routers or switches
how are windows logs collected in microsoft sentinel? [3.5]
windows logs are collected by deploying the azure monitor agent to the windows machine, where data collection rules specify which logs to ingest into sentinel
what is the significance of data collection rules in microsoft sentinel? [3.5]
data collection rules define the specific log data to be collected from windows or linux machines, including the format and log levels. they’re central to setting up custom and targeted log collection
how does microsoft sentinel support custom log collection? [3.5]
custom logs can be collected by deploying the azure monitor agent on a windows or linux machine, then specifying custom paths for data sources like web servers or applications that store logs in non-standard locations
describe how rest apis can be used to ingest data into sentinel [3.5]
rest aps can push logs from a source directly to sentinel or have azure functions pull data from an api and ingest it. this method provides control over the data flow and can be used to filter, mask, or transform the data before ingestion
what is data transformation and why might it be required in sentinel? [3.5]
data transformation involves modifying data for compatibility or specific use cases before ingestion. this can be done at the source, within an application, or using kusto query language (KQL) before storing the data in sentinel
how does kusto query language (KQL) support data transformation in sentinel? [3.5]
KQL can be applied to incoming data, enabling filtering, masking or transformation of data to meet specific needs before it is stored in the log analytics workspace
what is the content hub and how does it aid in data collection for sentinel? [3.5]
the content hub provides solutions for quickly deploying data connectors, analytics rules, playbooks, and other resources in sentinel. it simplifies the setup of data ingestion from various sources
what components might be included in a solution from the content hub? [3.5]
solutions from the content hub often include a combination of data connectors, analytics rules, playbooks, workbooks, and other resources packaged in azure template specs for easy deployment
describe the process of onboarding microsoft sentinel to a log analytics workspace [3.5]
to onboard sentinel, search for sentinel in the azure portal, create a new sentinel instance, and select a log analytics workspace for sentinel to analyze and store data
what is the purpose of installing solutions, like the azure active directory solution, from the content hub in sentinel? [3.5]
solutions like the azure active directory solution bundle analytics, data connectors, playbooks, and workbooks tailored to specific data sources, simplifying their integration into sentinel
how are data collection rules configured for domain controller security events in sentinel? [3.5]
data collection rules for domain controller events are configured by selecting the appropriate resources (e.g. domain controllers), choosing the log level and creating a rule that defines the specific logs to collect
what is syslog and which os commonly uses it? [3.5]
syslog is a standard format for logging used primarily on linux and network devices, allowing these systems to send log data to sentinel
what is cef and which os typically uses this format? [3.5]
common event format, provides detailed log data and is often used on linux based systems. it allows sentinel to receive standardized logs for analysis
what is kql and what is its role in sentinel? [3.5]
kusto query language, is used in sentinel to filter, transform or analyze data. it helps customize the data before storing it in the log analytics workspace
