Correct Answer:

Box 1: Azure Purview

Microsoft Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Microsoft Purview allows you to:

Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.

Enable data curators to manage and secure your data estate.

Empower data consumers to find valuable, trustworthy data.

Box 2: Microsoft Defender for Cloud

Microsoft Purview provides rich insights into the sensitivity of your data. This makes it valuable to security teams using Microsoft Defender for Cloud to manage the organization's security posture and protect against threats to their workloads.

Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments. The integration with Microsoft Purview expands

visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data.

References: https://docs.microsoft.com/en-us/azure/purview/overview

https://docs.microsoft.com/en-us/azure/purview/how-to-integrate-with-azure-security-products

Correct Answer:

Box 1: Protected branches

Git workflow

The pull request workflow is designed to introduce healthy friction, which is why it should only be applied to secure specific Git branches. Especially the branches that will trigger automated workflows that can deploy, configure, or in any other

way affect your cloud resources. These branches are called protected branches.

Restrict access to protected branches

The pull request workflow is used together with restricted access controls. The pull request workflow can't be enforced however, unless the server is configured to reject direct changes to protected branches.

A developer can't push directly to the production branch, but instead must create a pull request that targets the protected branch. Each SCM vendor has a different flavor for achieving restricted access to protected branches. For example, with

GitHub this feature is only available for organizations using GitHub team or GitHub Enterprise cloud.

Box 2: Azure Key Vault

Secure your deployment credentials

Pipelines and code repositories should not include hard-coded credentials and secrets. Credentials and secrets should be stored elsewhere and use CI vendor features for security. Because pipelines run as headless agents, they should

never use an individual's password.

Azure Key Vault

If your CI platform supports it, consider storing credentials in a dedicated secret store, for example Azure Key Vault. Credentials are fetched at runtime by the build agent and your attack surface is reduced.

Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops

Correct Answer:

Box 1: Azure AD administrative units

Implement delegated management of users and groups in the Azure AD tenant of Litware, including support for:

* The delegation of user management based on business units

Without Azure AD administrative units, assigning a user to the User Administrator role in Azure AD gives them rights to manage all Azure AD users. With administrative units, the user is delegated the same role, User Administrator, but that role only applies to the specified administrative unit. The administrative unit contains the users and groups that are under the scope of management. Box 2: Enable password hash synchronization in the Azure AD Connect deployment Existing environment: Azure AD Connect is used to implement pass-through authentication. Password hash synchronization

Risk detections like leaked credentials require the presence of password hashes for detection to occur.

Reference: https://4sysops.com/archives/an-introduction-to-azure-ad-administrative-units/

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-hash-synchronization

Correct Answer:

Box 1: Microsoft Defender for servers

Scenario: Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.

Defender for Servers is one of the enhanced security features available in Microsoft Defender for Cloud. You can use it to add threat detection and advanced defenses to your Windows and Linux machines that exist in hybrid and multicloud

environments.

Available Defender for Server plans

Defender for Servers offers you a choice between two paid plans.

Both include automatic onboarding for resources in Azure, AWS, GCP.

Plan 1 includes the following benefits:

Automatic onboarding for resources in Azure, AWS, GCP

Microsoft threat and vulnerability management

Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal

A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with Microsoft Defender for Cloud.

Plan 2 includes everything in Plan 1 plus some additional benefits.

Box 2: Microsoft Sentinel

Scenario: AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.

Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS

by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction

https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws

https://docs.microsoft.com/en-us/azure/sentinel/connect-aws

Correct Answer: BC

B and C are the recommended actions to secure the kiosks. Implementing threat and vulnerability management in Microsoft Defender for Endpoint and onboarding the kiosks to Microsoft Intune and Microsoft Defender for Endpoint will help ensure that only authorized applications can run on the kiosks and that the kiosks are regularly hardened against new threats.

Correct Answer: B

DLP policies in Microsoft 365 allow you to identify, monitor, and protect sensitive information, such as PHI, within your organization. You can create DLP policies that identify PHI within stored documents and communications and then set rules to prevent the PHI from being shared outside the company. For example, you can create a DLP policy that blocks emails containing PHI from being sent to external recipients, or that prevents documents containing PHI from being shared outside the organization.

Sensitivity label policies allow you to classify and protect sensitive information, but they do not specifically prevent the information from being shared outside the organization. Insider risk management policies are designed to detect and mitigate risks posed by insider threats, but they are not directly related to preventing the sharing of sensitive information. Retention policies allow you to specify how long certain types of information should be retained, but they do not prevent the sharing of sensitive information.

Correct Answer: CD

Correct Answer: C

Explanation:

Use adaptive application controls to reduce your machines' attack surfaces

Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.

When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.

Incorrect:

Not A: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are

considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.

Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls

Correct Answer: A

Explanation:

The vulnerability scanner included with Microsoft Defender for Cloud is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities. It's only available with Microsoft Defender for Servers.

Note: Enable vulnerability scanning with the integrated Qualys scanner

A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools.

When a machine is found that doesn't have a vulnerability assessment solution deployed, Defender for Cloud generates the security recommendation: Machines should have a vulnerability assessment solution. Use this recommendation to

deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc-enabled hybrid machines.

Defender for Cloud includes vulnerability scanning for your machines. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud.

Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

Correct Answer: B

Requirements. Application Development Requirements

Fabrikam identifies the following requirements for application development:

*

All the application code must be stored in GitHub Enterprise.

*

All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.

A GitHub Advanced Security license provides the following additional features:

Code scanning - Search for potential security vulnerabilities and coding errors in your code.

Secret scanning - Detect secrets, for example keys and tokens, that have been checked into the repository. If push protection is enabled, also detects secrets when they are pushed to your repository.

Dependency review - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request.

Security overview - Review the security configuration and alerts for an organization and identify the repositories at greatest risk.

Incorrect:

Not C:

Scenario: Azure DevTest labs will be used by developers for testing.

Azure DevTest Labs is a service for easily creating, using, and managing infrastructure-as-a-service (IaaS) virtual machines (VMs) and platform-as-a-service (PaaS) environments in labs. Labs offer preconfigured bases and artifacts for

creating VMs, and Azure Resource Manager (ARM) templates for creating environments like Azure Web Apps or SharePoint farms.

Lab owners can create preconfigured VMs that have tools and software lab users need. Lab users can claim preconfigured VMs, or create and configure their own VMs and environments. Lab policies and other methods track and control lab

usage and costs.

Reference: https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security