Examice

Exam DP-300 All QuestionsBrowse all questions from this exam

Question 66

You have a new Azure SQL database. The database contains a column that stores confidential information.

You need to track each time values from the column are returned in a query. The tracking information must be stored for 365 days from the date the query was executed.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Turn on auditing and write audit logs to an Azure Storage account.

Add extended properties to the column.

Turn on auditing and write audit logs to an Event Hub

Apply sensitivity labels named Highly Confidential to the column.

Turn on Azure Defender for SQL

Correct Answer: A, D, E

ADE

D: You can apply sensitivity-classification labels persistently to columns by using new metadata attributes that have been added to the SQL Server database engine. This metadata can then be used for advanced, sensitivity-based auditing and protection scenarios.

A: An important aspect of the information-protection paradigm is the ability to monitor access to sensitive data. Azure SQL Auditing has been enhanced to include a new field in the audit log called data_sensitivity_information. This field logs the sensitivity classifications (labels) of the data that was returned by a query. Here's an example:

E: Enable Microsoft Defender for Azure SQL Database at the subscription level from Microsoft Defender for Cloud.

Note: Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender for Cloud is available for Azure SQL Database,

Azure SQL Managed Instance, and Azure Synapse Analytics.

Reference:

https://docs.microsoft.com/en-us/azure/azure-sql/database/data-discovery-and-classification-overview https://docs.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql

Discussion

jerkyflexoffOptions: AD

Compared against Measure Up practice test the correct answer is A and D, so its a two answer question and E is just the mistake.

fayNik

current Measure Up practice test correct answers: A. Turn on auditing and write audit logs to Log Analytics. D. Add sensitivity-classification labels to the columns containing sensitive data.

BrenFa101

I agree, I believe answer is A and D. Azure Cloud Defender is unrelated to auditing.

sca88

I think that the E answer is correct. https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-information-protection-policy?tabs=sqlip-tenant

jddcOptions: ACD

ACD is the right answer.

jxh5337

Event hub max for 7 days

ItsalwaymethecapOptions: ACD

If you get option C as below instead of the one which is shown now - Turn on Advance Data Security for Azure SQL Server then the answers are ACD. At this moment its just AD

bsk1983Options: ADE

C (event hubs) CANNOT be part of answer because logs are only retained for 7 days and for premium 90 days so, it would not meet 365 days logs retention from question. I think AD (E) are answers

OralinuxOptions: ACD

Eventhub is streaming service and it's pub/sub, you should go with Azure Storage if you want to keep your logs for long time.

yyc585Options: ACD

To track each time values from a column are returned in a query, you can use the auditing feature in Azure SQL Database. Auditing allows you to track database events and write the audit logs to an Azure Storage account or an Event Hub. To store the audit logs for 365 days from the date the query was executed, you can configure the retention period for the audit logs to 365 days. Therefore, the correct answers are A, C, D. D is not so relevant in terms of retention but for filtering purpose it helps.

tesen_tolgaOptions: ACD

ACD is the right answer.

scottytohottyOptions: ACD

ACD, defender seems unrelated

DataSturdyOptions: ACD

A C D is the right answer

sca88Options: ADE

https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-information-protection-policy?tabs=sqlip-tenant The answer is correct. A, D and E

testdumps2017Options: ADE

ADE. https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-information-protection-policy?tabs=sqlip-tenant - you can create policies than can be exported for this exact purpose.

fede_areOptions: ACD

Cloud Defender is not related to auditing.

nano0511Options: ACD

A, C response https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-setup?view=azuresql D https://learn.microsoft.com/en-us/sql/t-sql/statements/add-sensitivity-classification-transact-sql?view=sql-server-ver16

amazonalex

I think answer is correct, as Defender takes advantage of sensitivity classifications in its policies https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-information-protection-policy?tabs=sqlip-tenant

U_COptions: ADE

The answer is correct. One of the reasons is: For the Basic pricing tier, the maximum retention period is 1 day, meaning that audit logs will be retained for up to 24 hours. For the Standard and Dedicated pricing tiers, the retention period can be configured to up to 7 days, meaning that audit logs can be retained for up to a week. Answer C doesn't meet the 365 days retention requirement.

OneplusOneOptions: ACD

Retention period of audit logs is set as part of Auditing service: https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-6.13.0

Chris_toffOptions: ACD

I think answer i correct: Azure Defender for Cloud + adding column classification can log access and writing logs on storage account can automaticly delete older by... https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql