nerdexam
ExamsAZ-801Questions#177
MicrosoftMicrosoft

AZ-801 · Question #177

AZ-801 Question #177: Real Exam Question with Answer & Explanation

This question tests your knowledge of the end-to-end setup required to stream Windows Security Events from an Azure Arc-enabled on-premises server into Microsoft Sentinel using the Azure Monitor Agent (AMA) data connector.

Secure Windows Server on-premises and hybrid infrastructures

Question

Drag and Drop Question You have an on-premises server named Server1 that runs Windows Server. You have an Azure subscription. You create a Microsoft Sentinel workspace named Workspace1. You need to ensure that Workspace1 can collect events from Server1 by using the Windows Security Events via AMA data connector. You add Server1 to Azure Arc. Which actions should you perform next in sequence? To answer, drag the appropriate actions to the correct order. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Explanation

This question tests your knowledge of the end-to-end setup required to stream Windows Security Events from an Azure Arc-enabled on-premises server into Microsoft Sentinel using the Azure Monitor Agent (AMA) data connector.

Approach. After enrolling Server1 in Azure Arc (which gives Azure a management plane over the on-premises machine), the remaining steps follow a fixed dependency chain: (1) Install the Azure Monitor Agent (AMA) on Server1 - because Azure Arc-enabled servers support AMA as a VM extension, this replaces the legacy MMA/OMS agent and is required by the 'Windows Security Events via AMA' connector. (2) Create a Data Collection Rule (DCR) in Azure Monitor - a DCR defines WHAT events to collect (e.g., All Security Events, Common, or Minimal) and WHERE to send them (Workspace1). (3) Associate the DCR with Server1 - this final binding tells the AMA on Server1 to follow the DCR's instructions and forward matching events to Workspace1. Without the DCR association, the agent has no instructions; without the AMA, the DCR has nothing to execute on the server.

Concept tested. Configuring the Windows Security Events via AMA data connector in Microsoft Sentinel for Azure Arc-enabled on-premises servers - specifically the ordered dependency between Azure Arc enrollment, AMA installation, DCR creation, and DCR-to-resource association.

Reference. Microsoft Learn: 'Connect Windows servers to Microsoft Sentinel using the AMA' - docs.microsoft.com/azure/sentinel/data-connectors/windows-security-events

Topics

#Azure Sentinel#Azure Monitor Agent#Azure Arc#Security Event Collection

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-801 PracticeBrowse All AZ-801 Questions