AZ-500 Question #276: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question You have an Azure subscription that contains the following resources: - A network virtual appliance (NVA) that runs non-Microsoft firewall software and routes all outbound traffic from the virtual machines to the internet - An Azure function that contains a script to manage the firewall rules of the NVA - Azure Security Center standard tier enabled for all virtual machines - An Azure Sentinel workspace - 30 virtual machines You need to ensure that when a high-priority alert is generated in Security Center for a virtual machine, an incident is created in Azure Sentinel and then a script is initiated to configure a firewall rule for the NVA. How should you configure Azure Sentinel to meet the requirements? To answer, drag the appropriate components to the correct requirements. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Explanation

The correct sequence is: (1) A data connector for Security Center ingests Security Center alerts into Azure Sentinel, making them available for analysis. (2) A rule (analytics rule) evaluates those ingested alerts and creates incidents in Azure Sentinel when high-priority alerts are detected. (3) A playbook (Logic App) is triggered by the incident to automate the response - in this case, calling the Azure Function that configures the NVA firewall rule. This three-component chain covers ingestion → incident creation → automated response.

No community discussion yet for this question.