Practice set
Microsoft Azure Security Engineer Associate AZ-500 questions
Question 1hardmulti select
Full question →A SQL workload needs to protect sensitive column values from database administrators who should not see plaintext. Which two features may be relevant depending on the query requirement?
Question 2mediummulti select
Full question →A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?
Question 3mediummultiple choice
Full question →A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?
Question 4hardmulti select
Full question →A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?
Question 5hardmultiple choice
Full question →A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?
Question 6hardmultiple choice
Full question →A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?
Question 7hardmultiple choice
Full question →A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?
Question 8hardmultiple choice
Full question →A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?
Question 9mediummultiple choice
Full question →A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?
Question 10hardmulti select
Full question →A storage account contains regulated records. Which two features help protect against accidental or malicious deletion?
Question 11mediummultiple choice
Full question →A storage account should be reachable only from a specific subnet over the Microsoft backbone, while keeping the public endpoint firewall restricted. Which feature should be used?
Question 12mediummulti select
Full question →A team enables Microsoft Defender for Storage. Which two threats can the plan help detect?
Question 13mediummultiple choice
Full question →A team wants Sentinel incidents to automatically assign to the Tier 2 queue when severity is High and the product name is Microsoft Defender for Endpoint. What should they configure?
Question 14hardmultiple choice
Full question →A team wants Sentinel to ingest firewall logs from an appliance that emits Common Event Format over Syslog. Which connector pattern is most appropriate?
Question 15mediummultiple choice
Full question →A team wants to automatically deploy Defender for Cloud settings across new subscriptions under a management group. Which Azure capability should they use?
Question 16hardmulti select
Full question →A team wants to deploy Sentinel content consistently across workspaces. Which two approaches are appropriate?
Question 17mediummultiple choice
Full question →An organization wants to export Defender for Cloud recommendations and alerts into a central Log Analytics workspace for retention and hunting. Which feature should they use?
Question 18mediummultiple choice
Full question →A security team uses Microsoft Defender for Cloud. They want to ensure that all Azure virtual machines have the guest configuration extension installed to apply a security baseline automatically. They need to remediate non-compliant VMs without manual intervention. Which Defender for Cloud feature should be configured?
Question 19mediummultiple choice
Full question →A cloud security team wants Defender for Cloud to assess AWS accounts and GCP projects from the same portal used for Azure posture management. What should they configure?
Question 20easymultiple choice
Full question →A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?
Question 21mediummultiple choice
Full question →A company deploys a web application on Azure VMs behind an Azure Load Balancer (Standard SKU). They want to protect the application from common web attacks like SQL injection and cross-site scripting. Which Azure service should they enable?
Question 22mediummultiple choice
Full question →A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?
Question 23easymultiple choice
Full question →A company deploys Azure Firewall to inspect and control outbound traffic from a virtual network. The security team wants to allow outbound HTTPS traffic only to specific FQDNs such as *.microsoft.com and *.windowsupdate.com, while blocking all other outbound internet access. Which type of rule should they configure in Azure Firewall to achieve this filtering?
Question 24easymultiple choice
Full question →