Free Microsoft SC-100 Exam Questions (page: 8)

Explanation:

Reference:

Box 1: Document fingerprinting
Identifies Office documents that contain customer addresses and phone numbers sourced from DB1

Document fingerprinting is a Microsoft Purview feature that takes a standard form that you provide and creates a sensitive information type (SIT) based on that form. Document fingerprinting makes it easier for you to protect sensitive information by identifying standard forms that are used throughout your organization.

Document fingerprinting includes the following benefits:
SITs created from document fingerprinting can be used as a detection method in DLP policies scoped to Exchange, SharePoint, OneDrive, Teams, and Devices.

Etc.

Box 2: Microsoft Purview insider risk management
Generates an alert if a user downloads an above average number of files that contain data from DB1

Microsoft Purview, Configure intelligent detections in insider risk management Use can use the Intelligent detections setting in Microsoft Purview Insider Risk Management to:

* Boost the score for unusual file download activities by entering a minimum number of daily events.

* Etc.

File activity detection
You can use this section to specify the number of daily events required to boost the risk score for download activity that's considered unusual for a user. For example, if you enter "25", if a user downloads 10 files on average over the previous 30 days, but a policy detects that they downloaded 20 files on one day, the score for that activity won't be boosted even though it's unusual for that user because the number of files they downloaded that day was less than 25.


https://learn.microsoft.com/en-us/purview/sit-document-fingerprinting https://learn.microsoft.com/en-us/purview/insider-risk-management-settings-intelligent-detections

Explanation:

Box 1: Protected branches
All pull requests must be enforced.

Azure Cloud Adoption Framework Ready, Automation
Platform automation design recommendation include:
Adopt a branching strategy for your team and set branch policies for branches that you want to protect. With branch policies, teams must use pull requests to make merge changes.


Incorrect:
* Environments

* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.

Box 2: Triggers
All deployments to production must be approved.

Depending on which branching strategy your team uses, changes to any important branch should trigger deployment to different environments. Once changes are approved and merged into main, the CD process deploys those changes to production. This code management system provides your team with a single source of truth for what is running in each environment.


Incorrect:
* Environments

* Resource locks
Only use resource locks strictly to prevent unintended modifications or deletions of critical data. Avoid using resource locks to protect configurations, as resource locks complicate IaC deployments.

Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/automation

Explanation:

Box 1: Data connectors
Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud into Microsoft Sentinel.

Launch a WAF workbook (see step 7 below)
The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource.

To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource:

1. Select Diagnostic settings.
2. Select + Add diagnostic setting.
3. In the Diagnostic setting page (details skipped)
4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource.
5. Select an already active workspace or create a new workspace.
6. On the left side panel under Configuration select Data Connectors.
7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right.
8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously.
9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources.

Box 2: The Azure Diagnostics extension
Azure Diagnostics extension is an agent in Azure Monitor that collects monitoring data from the guest operating system of Azure compute resources including virtual machines.

Comparison to Log Analytics agent
The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You can choose to use either or both depending on your requirements.

The key differences to consider are:

* Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.

* Azure Diagnostics extension sends data to Azure Storage, Azure Monitor Metrics (Windows only) and Azure Event Hubs. The Log Analytics agent collects data to Azure Monitor Logs.

*-> The Log Analytics agent is required for retired solutions, VM insights, and other services such as Microsoft Defender for Cloud.

Note: The Log Analytics agent is a better answer, but that option is not available in this version of the question.

Reference:

https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview

Explanation:

Box 1: ..Mgmt1 AND .. Mgmt2
Scope

For Microsoft Entra's two management groups, the appropriate scope for assigning roles is the management group level itself. This is because management groups are designed to be a broader scope for managing access and policies across multiple subscriptions.

Box 2: 2
Minimum number of assignments

Note:
Broadest Scope:
Management groups are the broadest scope in Azure, encompassing multiple subscriptions.

Inheritance:

Role assignments at the management group level apply to all subscriptions within that group.

Centralized Governance:
This allows you to apply policies and RBAC configurations centrally, rather than individually to each subscription.

Organization:
Management groups help organize subscriptions based on business units, teams, or functional areas.

RBAC:
The scope of a role assignment dictates where it applies, with management group level offering a wide scope for granting access.

Custom Roles:
You can create custom roles that are scoped to the management group, allowing for fine-grained access control at a broader level.

Reference:

https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

Explanation:

Box 1: Monthly
Pool1 - Windows node pool named Pool1

Windows supports monthly node image version upgrades.

Box 2: Weekly
Pool2 - a Linux node pool named Pool2.

Linux supports weekly node image version upgrades.

Note: Azure Kubernetes Service patch and upgrade guidance
This section of the Azure Kubernetes Service (AKS) day-2 operations guide describes patching and upgrading strategies for AKS worker nodes and Kubernetes versions. As a cluster operator, you need to have a plan for keeping your clusters up to date and monitoring Kubernetes API changes and deprecations over time.

Background and types of updates
There are three types of updates for AKS, and each one builds on the previous update:

Reference:

https://learn.microsoft.com/en-us/azure/architecture/operator-guides/aks/aks-upgrade-practices

Explanation:

Box 1: Commit the code
Static application security testing (SAST)

Static application security testing is under the commit the code.

Box 2: Build and test
Security smoke testing

In DevOps, security smoke testing refers to a quick, preliminary check of a software application's security posture after a new build or code change. It's designed to identify major security flaws early in the DevOps pipeline, preventing the deployment of a build with critical vulnerabilities and saving time and resources on deeper, more comprehensive security testing.

Reference:

https://www.infracloud.io/blogs/implement-devsecops-secure-ci-cd-pipeline/

Explanation:

Box 1: Static application security testing (SAST
Pre-deployment
All the source code must be tested for security vulnerabilities in Azure Repos before deploying the apps.

SAST (Static Application Security Testing) SAST tools analyze source code or bytecode early in the pipeline to identify security flaws before deployment. They provide deep insights into insecure coding patterns and vulnerabilities by scanning code syntax and data flows without executing the program.

DS-4: Integrate static application security testing into DevOps pipeline Security Principle: Ensure static application security testing (SAST) is part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into the repository, building into the packages, or deploying into the production.

Azure Guidance: Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate tools below and third-party SAST tools into the workflow.

Box 2: Dynamic Application Security Testing (DAST)
Post-deployment to the test environment
Once the apps are deployed to the test environment, they must be tested for security vulnerabilities.

Dynamic Application Security Testing (DAST) is the process of analyzing a web application through the front- end to find vulnerabilities through simulated attacks. This type of approach evaluates the application from the "outside in" by attacking an application like a malicious user would. After a DAST scanner performs these attacks, it looks for results that are not part of the expected result set and identifies security vulnerabilities.

DS-5: Integrate dynamic application security testing into DevOps pipeline Security Principle: Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/ CD workflow. The gating can be set based on the testing results to prevent vulnerability from building into the packages or deploying into the production.

Azure Guidance: Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in the Azure DevOps or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST.

Azure DevOps Pipeline or GitHub supports the integrate of third-party DAST tools into the CI/CD workflow.


Incorrect:
* Security smoke testing
In DevOps, security smoke testing refers to a quick, preliminary check of a software application's security posture after a new build or code change. It's designed to identify major security flaws early in the DevOps pipeline, preventing the deployment of a build with critical vulnerabilities and saving time and resources on deeper, more comprehensive security testing.

* Security acceptance testing
In DevOps, Security Acceptance Testing is the process of verifying that a system or application meets established security requirements and standards before it's deployed to a production environment. It's a critical phase that ensures the system is robust enough to withstand potential security threats and prevent data breaches or other security incidents. This testing is often done in a production-like environment to simulate real-world conditions and identify vulnerabilities that could be exploited.

Reference:

https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-devops-security

Explanation:

Reference:

Box 1: App access controls
Secure code

Integrating application access controls into the code itself during the secure code stage of DevSecOps is a recommended practice to prevent unauthorized access to features and sensitive data within an application. Developers should define roles, assign permissions based on those roles, enforce strong password policies, and regularly test these controls to ensure they are effective at protecting the application's integrity and data throughout the software development life cycle.

Note: In DevSecOps, the Secure Code Stage involves integrating security practices and automated tools into the coding process to prevent vulnerabilities from entering the codebase. Key activities include implementing secure coding standards, performing static code analysis (SAST) to find flaws, using software composition analysis (SCA) for dependencies, and performing secret scanning to catch hardcoded credentials. This stage aims to catch security issues early in the development lifecycle, reducing costs and risks.

Box 2: A secure pipeline
Secure operations

Using a secure pipeline is a core recommendation in the Secure Operations stage of DevSecOps, as it integrates automated security checks throughout the entire software development lifecycle (SDLC). This automated approach allows for early detection and remediation of vulnerabilities, fosters collaboration between development, operations, and security teams, and helps ensure that secure, high-quality software is delivered faster and more reliably.


https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-permissions https://www.wiz.io/academy/devsecops-pipeline-best-practices