AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel • Complete Question Bank
Complete AZ-500 Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel question bank — all 0 questions with answers and detailed explanations.
{
"properties": {
"displayName": "Deploy Azure Monitor Agent for Windows VMs",
"policyType": "BuiltIn",
"mode": "Indexed",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
]
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}SecurityAlert | where TimeGenerated > ago(7d) | summarize Count = count() by AlertName, AlertSeverity | top 10 by Count desc
{
"properties": {
"enforcementMode": "Default",
"scope": "/subscriptions/abc123/resourceGroups/RG-Prod",
"notScopes": [
"/subscriptions/abc123/resourceGroups/RG-Prod/providers/Microsoft.Compute/virtualMachines/VM-Sensitive"
]
}
}Refer to the exhibit.
```json
{
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.encryptionSettings",
"exists": "false"
}
]
},
"then": {
"effect": "AuditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureDiskEncryption"
}
}
}
}
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(7d) | where AlertSeverity == "High" | where AlertName contains "Malware" | summarize Count = count() by AlertName, CompromisedEntity | order by Count desc ```
Refer to the exhibit.
```powershell
$parameters = @{
ResourceGroupName = 'RG-Security'
Name = 'ws-law'
Sku = @{ name = 'PerGB2018' }
RetentionInDays = 365
}
New-AzOperationalInsightsWorkspace @parameters
```Refer to the exhibit.
```bicep
resource defenderPlan 'Microsoft.Security/pricings@2022-03-01' = {
name: 'VirtualMachines'
properties: {
pricingTier: 'Standard'
subPlan: 'P1'
}
}
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
name: 'la-workspace'
location: resourceGroup().location
properties: {
sku: {
name: 'PerGB2018'
}
retentionInDays: 90
}
}
resource sentinel 'Microsoft.SecurityInsights/onboardingStates@2021-10-01' = {
name: 'default'
properties: {
onboardingState: 'Onboarded'
}
}
```{"properties":{"displayName":"Audit storage accounts with customer-managed keys","policyType":"BuiltIn","mode":"Indexed","description":"Audits storage accounts that do not use customer-managed keys.","metadata":{"version":"1.0.0","category":"Storage"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Storage/storageAccounts"},"then":{"effect":"audit","details":{"existenceCondition":{"field":"Microsoft.Storage/storageAccounts/encryption.keySource","notEquals":"Microsoft.Keyvault"}}}}}{"properties":{"displayName":"Deploy Microsoft Defender for Cloud security contacts","policyType":"BuiltIn","mode":"All","description":"Deploys security contact settings for subscriptions.","metadata":{"version":"1.0.0","category":"Security Center"},"parameters":{},"policyRule":{"if":{"field":"type","equals":"Microsoft.Subscription"},"then":{"effect":"deployIfNotExists","details":{"type":"Microsoft.Security/securityContacts","name":"default","existenceCondition":{"field":"Microsoft.Security/securityContacts/email","notEquals":""},"deployment":{"properties":{"template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","resources":[{"type":"Microsoft.Security/securityContacts","name":"default","properties":{"email":"security@contoso.com","phone":"555-1234","alertNotifications":{"state":"On","minimalSeverity":"High"},"notificationsByRole":{"state":"On","roles":["Owner"]}}}]}}}}}}SigninLogs
| where TimeGenerated > ago(7d)
| where RiskLevelDuringSignIn in ('medium', 'high')
| extend Country = tostring(LocationDetails.countryOrRegion)
| where Country != 'US'
| summarize SigninCount = count() by UserPrincipalName, Country
| where SigninCount > 3Your company, Contoso Ltd., has a hybrid environment with 500 on-premises Windows servers and 200 Azure VMs. The Azure VMs are spread across multiple subscriptions. You need to implement a centralized security monitoring solution using Microsoft Sentinel. The requirements are: - Collect security events from all on-premises servers. - Collect Azure activity logs and VM logs from all Azure subscriptions. - Detect and respond to threats using built-in and custom analytics. - Automatically remediate common threats such as disabling compromised user accounts. - Ensure compliance with regulatory standards (e.g., NIST 800-53). - Minimize administrative overhead and cost.
What should you do?
{
"properties": {
"displayName": "CIS Benchmark v1.1.0",
"description": "CIS Benchmark for Azure",
"metadata": {
"version": "1.0.0",
"category": "Regulatory Compliance"
},
"parameters": {},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "CIS-1.1",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abc123"
}
]
}
}SigninLogs | where TimeGenerated > ago(1d) | summarize Attempts = count() by IPAddress | where Attempts > 10
{
"properties": {
"pricingTier": "Standard",
"autoProvision": true
}
}{
"properties": {
"displayName": "Enable Defender for Cloud on subscription",
"policyType": "BuiltIn",
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"allowedValues": ["DeployIfNotExists", "AuditIfNotExists", "Disabled"],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Subscription"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/pricings",
"existenceCondition": {
"field": "Microsoft.Security/pricings/pricingTier",
"equals": "Standard"
},
"roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/fb1c8498-711b-4c4f-b104-123456789012"],
"deployment": {
"properties": {
"templateLink": {
"uri": "https://raw.githubusercontent.com/.../azuredeploy.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"pricingTier": {
"value": "Standard"
}
}
}
}
}
}
}
}
}Log Analytics query: SecurityEvent | where TimeGenerated > ago(1h) | where EventID == 4625 | summarize FailedLogins = count() by Account, IpAddress | where FailedLogins > 10 | project Account, IpAddress, FailedLogins
{
"properties": {
"infrastructureEncryption": "Enabled",
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultProperties": {
"keyUri": "https://myvault.vault.azure.net/keys/mykey/abc123",
"currentVersionedKeyIdentifier": "https://myvault.vault.azure.net/keys/mykey/abc123",
"lastKeyRotationTimestamp": "2025-12-01T00:00:00Z"
}
}
}
}Refer to the exhibit. ```kusto // KQL query used in a Microsoft Sentinel scheduled analytics rule SigninLogs | where TimeGenerated > ago(1h) | where ResultType == "50057" // User account is disabled | where IPAddress !in (dynamic(["10.0.0.1", "10.0.0.2"])) | project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Deploy Vulnerability Assessment solution on SQL managed instances",
"policyType": "Custom",
"description": "Deploys the Azure Defender for SQL vulnerability assessment on SQL Managed Instances",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
},
{
"field": "Microsoft.Sql/managedInstances/vulnerabilityAssessments",
"exists": false
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Sql/managedInstances/vulnerabilityAssessments",
"roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/bd5e0e0e-0b1a-4f8a-8f0f-9e2e0e0e0e0e"],
"deployment": {
"properties": {
"mode": "incremental",
"template": { ... }
}
}
}
}
}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06be3959-4f3e-4f6a-8a6d-5f5f5f5f5f5f",
"parameters": {},
"scope": "/subscriptions/12345678-1234-1234-1234-123456789012",
"notScopes": []
}
}
```{
"properties": {
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12345678-1234-1234-1234-123456789012",
"parameters": {
"effect": {
"value": "DeployIfNotExists"
},
"workspaceId": {
"value": "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"
}
}
}
}{
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "Ensure sensitive data is encrypted with customer-managed keys",
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "type",
"equals": "Microsoft.DocumentDB/databaseAccounts"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/encryption",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/encryption.keySource",
"equals": "Microsoft.Keyvault"
}
}
}
},
"parameters": {}
}
}{
"properties": {
"displayName": "Deploy Log Analytics agent for Linux VMs",
"policyType": "BuiltIn",
"mode": "Indexed",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "OmsAgentForLinux"
},
"deployment": {
"properties": {
"template": { ... },
"parameters": {
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
}
}
}
}
}
},
"parameters": {
"workspaceId": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace ID"
}
}
}
}
}Refer to the exhibit. You are reviewing the following KQL query in Microsoft Sentinel: ```kusto SecurityAlert | where TimeGenerated > ago(7d) | summarize Count = count() by AlertName, Severity | order by Count desc ```
{
"properties": {
"displayName": "Deploy Log Analytics agent for Linux VMs",
"policyType": "BuiltIn",
"description": "Deploys the Log Analytics agent to Linux virtual machines if the agent is not installed.",
"parameters": {
"workspaceId": {
"type": "String",
"metadata": {
"displayName": "Workspace ID"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "OmsAgentForLinux"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "[concat(parameters('vmName'), '/OmsAgent')]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.EnterpriseCloud.Monitoring",
"type": "OmsAgentForLinux",
"typeHandlerVersion": "1.0",
"settings": {
"workspaceId": "[parameters('workspaceId')]"
}
}
}
]
}
}
}
}
}
}
}
}