SC-100 Design security solutions for applications and data • Complete Question Bank
Complete SC-100 Design security solutions for applications and data question bank — all 0 questions with answers and detailed explanations.
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/databases"
},
{
"field": "Microsoft.Sql/servers/databases/transparentDataEncryption.status",
"equals": "Disabled"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/..."
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Sql/servers/databases/transparentDataEncryption.status",
"value": "Enabled"
}
]
}
}
}
}KQL query: SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4625 | summarize FailedLogons = count() by Account, Computer | where FailedLogons > 10
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaces[*].id",
"exists": "false"
}
}
}
},
"name": "Deny-VM-Without-NIC"
}PS C:\> Get-AzKeyVaultSecret -VaultName 'ContosoKeyVault' -Name 'DbPassword' -AsPlainText Contoso123!
SecurityAlert | where AlertName == "Suspicious process execution" | where TimeGenerated > ago(1h) | project Computer, AlertName, TimeGenerated
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2021-10-01",
"name": "kv-prod-001",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "Standard"
},
"enableSoftDelete": true,
"enablePurgeProtection": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices",
"virtualNetworkRules": [
{
"id": "/subscriptions/.../subnets/backend-subnet"
}
]
},
"accessPolicies": []
}
}
]
}{
"properties": {
"displayName": "Sensitive Data Protection",
"description": "Labels for sensitive data",
"sensitivityLabels": [
{
"name": "General",
"description": "No special handling",
"color": "gray",
"order": 1,
"enabled": true
},
{
"name": "Confidential",
"description": "Confidential data",
"color": "orange",
"order": 2,
"enabled": true,
"subLabels": [
{
"name": "Financial",
"description": "Financial data",
"color": "red",
"order": 1,
"enabled": true,
"sublabelTooltip": "Financial data requires special handling"
}
]
}
]
}
}Event: 4625 (Audit Failure) Account Name: jdoe Target Account Name: admin Workstation Name: CLIENT-01 Logon Type: 3 (Network) Process Name: C:\Windows\System32\svchost.exe Source Network Address: 192.168.1.100 Failure Reason: Unknown user name or bad password.
{
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "false"
}
]
},
"then": {
"effect": "deny"
}
}
}
}{
"name": "finance-app",
"properties": {
"networkAcls": {
"defaultAction": "Deny",
"ipRules": [],
"virtualNetworkRules": [
{
"id": "/subscriptions/.../subnets/backend-subnet",
"action": "Allow"
}
]
},
"publicNetworkAccess": "Disabled"
}
}Refer to the exhibit.
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-09-01",
"properties": {
"publicAccess": "None",
"immutabilityPolicy": {
"immutabilityPeriodSinceCreationInDays": 30,
"state": "Locked"
},
"defaultEncryptionScope": "$account-encryption-key",
"denyEncryptionScopeOverride": true
}
}Refer to the exhibit. KQL Query: SigninLogs | where TimeGenerated > ago(1h) | where ResultType == "50074" | summarize Count = count() by UserPrincipalName
Refer to the exhibit. Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline -ResourceGroupName "RG1" -ServerName "sqlsrv1" -DatabaseName "db1" -RuleId "VA2108" -BaselineName "default"
{
"properties": {
"policyMode": "default",
"rules": [
{
"name": "BlockHighRisk",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": ["high"]
},
"grantControls": {
"builtInControls": ["block"]
}
},
{
"name": "RequireMFAForMedium",
"conditions": {
"userRiskLevels": ["medium"],
"signInRiskLevels": ["medium"]
},
"grantControls": {
"builtInControls": ["mfa"]
}
}
]
}
}SELECT TimeGenerated, UserPrincipalName, AppDisplayName, RiskLevelDuringSignIn, RiskLevelAggregated FROM SigninLogs | where TimeGenerated > ago(1d) | where RiskLevelDuringSignIn == "high"
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2021-09-01",
"name": "[concat(parameters('storageAccountName'), '/default/', parameters('containerName'))]",
"properties": {
"publicAccess": "None"
}
}
]
}{
"Properties": {
"Description": "Policy to audit and restrict storage accounts without encryption",
"Mode": "Indexed",
"Parameters": {
"effect": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Deny"
]
}
},
"PolicyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/encryption.enabled",
"equals": "true"
}
}
}
}
}
}{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/abc/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-functions": {}
}
},
"properties": {
"siteConfig": {
"appSettings": [
{
"name": "AzureWebJobsStorage",
"value": "@Microsoft.KeyVault(SecretUri=https://kv-func.vault.azure.net/secrets/storage-connection)"
}
]
}
}
}{
"alert": {
"id": "8564c5c0-7c8a-4c3a-8f0c-5a9b6e7f8a0b",
"provider": "Azure Active Directory Identity Protection",
"riskEventTypes": ["unfamiliarFeatures", "atypicalTravel"],
"riskLevel": "medium",
"userPrincipalName": "jdoe@contoso.com",
"additionalData": {
"userRiskLevel": "high",
"signInRiskLevel": "medium"
}
}
}{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2023-01-01",
"name": "[concat(parameters('storageAccountName'), '/default/', parameters('containerName'))]",
"properties": {
"publicAccess": "None",
"immutableStorageWithVersioning": {
"enabled": true,
"immutabilityPolicy": {
"allowProtectedAppendWrites": false,
"immutabilityPeriodSinceCreationInDays": 365
}
}
}
}{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "audit-sql-encryption",
"properties": {
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94f9d178-d4e6-4a96-bc6d-1234567890ab",
"parameters": {},
"scope": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/prod-rg",
"enforcementMode": "Default"
}
}Log Analytics query: SecurityEvent | where TimeGenerated > ago(24h) | where AccountType == "User" | summarize FailedLogins = count() by Account, Computer | where FailedLogins > 5
Consider the following Azure Policy definition:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "false"
}
]
},
"then": {
"effect": "deny"
}
}Consider the following Azure CLI command output for a storage account:
{
"id": "/subscriptions/.../storageAccounts/securestore",
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true,
"encryption": {
"keySource": "Microsoft.Keyvault",
"keyvaultproperties": {
"keyvaulturi": "https://myvault.vault.azure.net/keys/mykey/abc123"
},
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
}
},
"networkAcls": {
"defaultAction": "Deny",
"virtualNetworkRules": [
{
"id": "/subscriptions/.../virtualNetworks/vnet1/subnets/subnet1",
"action": "Allow"
}
],
"ipRules": []
}
}
}Consider the following Kusto Query Language (KQL) query used in Microsoft Sentinel: SecurityAlert | where TimeGenerated > ago(7d) | where AlertName contains "SQL injection" | project TimeGenerated, AlertName, CompromisedEntity, AlertSeverity
Refer to the exhibit.
{
"properties": {
"displayName": "Block high-risk sign-ins",
"state": "enabled",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": [],
"clientAppTypes": ["all"],
"locations": {
"includeLocations": ["All"],
"excludeLocations": []
}
},
"grantControls": {
"builtInControls": ["block"],
"termsOfUse": [],
"operator": "OR"
}
}
}Refer to the exhibit.
Azure CLI output:
{
"id": "/subscriptions/.../providers/Microsoft.Authorization/roleDefinitions/...",
"properties": {
"roleName": "Custom SQL DB Reader",
"description": "Read data from SQL Database",
"type": "customRole",
"permissions": [
{
"actions": ["Microsoft.Sql/servers/databases/read"],
"notActions": [],
"dataActions": ["Microsoft.Sql/servers/databases/data/read"],
"notDataActions": []
}
],
"assignableScopes": ["/subscriptions/..."]
}
}Refer to the exhibit.
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2023-01-01",
"name": "[concat(parameters('storageAccountName'), '/default/', parameters('containerName'))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
],
"properties": {
"publicAccess": "None"
}
}Refer to the exhibit.
{
"properties": {
"publisherEmail": "admin@contoso.com",
"publisherName": "Contoso",
"sku": {
"name": "Developer"
},
"customProperties": {
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_C256": false,
"Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": false
},
"apiVersionConstraint": "2021-12-01-preview"
}
}Refer to the exhibit.
```
$resources = Get-AzResource | Where-Object {$_.Tags.Keys -contains 'Confidentiality' -and $_.Tags.Values -contains 'High'}
foreach ($resource in $resources) {
$lock = Get-AzResourceLock -ResourceName $resource.Name -ResourceGroupName $resource.ResourceGroupName
if ($lock.LockLevel -ne 'CanNotDelete') {
New-AzResourceLock -LockName 'HighConfLock' -LockLevel CanNotDelete -ResourceName $resource.Name -ResourceGroupName $resource.ResourceGroupName -Force
}
}
```Your organization, Contoso Ltd., is a multinational company with 50,000 employees. They use Microsoft 365 E5, Azure, and Microsoft Sentinel. The security team wants to implement a data security solution that meets the following requirements:
1. All sensitive data stored in SharePoint Online and OneDrive for Business must be automatically classified and protected using sensitivity labels. 2. When a user attempts to share a file labeled 'Highly Confidential' with an external user, the action should be blocked and an alert sent to the security team. 3. The solution must detect and prevent data exfiltration from endpoints by monitoring copy/paste and print actions on sensitive data. 4. All data security events must be centralized in Microsoft Sentinel for correlation and investigation. 5. The solution must comply with regulatory requirements that mandate data retention and eDiscovery capabilities.
You need to design the data security solution. Which combination of Microsoft security components should you use?
{
"properties": {
"displayName": "Policy to restrict storage account access",
"policyType": "Custom",
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"allowedValues": [
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"notEquals": "Deny"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}