Exam SC-100 All QuestionsBrowse all questions from this exam
Go to Exam
Question 81

A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions.

You are evaluating the security posture of the customer.

You discover that the AKS resources are excluded from the secure score recommendations.

You need to produce accurate recommendations and update the secure score.

Which two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

    Correct Answer: A, B

    BD

    D: How are regulatory compliance standards represented in Defender for Cloud?

    Industry standards, regulatory standards, and benchmarks are represented in Defender for Cloud's regulatory compliance dashboard. Each standard is an initiative defined in Azure Policy.

    To see compliance data mapped as assessments in your dashboard, add a compliance standard to your management group or subscription from within the

    Security policy page.

    When you've assigned a standard or benchmark to your selected scope, the standard appears in your regulatory compliance dashboard with all associated compliance data mapped as assessments.

    B: Configure Defender for Containers components

    If you disabled any of the default protections when you enabled Microsoft Defender for Containers, you can change the configurations and reenable them via auto provisioning.

    1. To configure the Defender for Containers components:

    2. Sign in to the Azure portal.

    3. Navigate to Microsoft Defender for Cloud > Environment settings.

    4. Select the relevant subscription.

    5. From the left side tool bar, select Auto provisioning.

    6. Ensure that Microsoft Defenders for Containers components (preview) is toggled to On.

    Incorrect:

    Not A: When you enable Microsoft Defender for Containers, Azure Kubernetes Service clusters, and Azure Arc enabled Kubernetes clusters (Preview) protection are both enabled by default.

    To upgrade to Microsoft Defender for Containers, open the Defender plans page in the portal and enable the new plan:

    Not C: No need for automation.

    Note: Automate responses to Microsoft Defender for Cloud triggers.

    Every security program includes multiple workflows for incident response. These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. Security experts recommend that you automate as many steps of those procedures as you can.

    Automation reduces overhead. It can also improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.

    Reference:

    https://docs.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

Discussion
Alex_BurlachenkoOptions: AB

I would select A and B

foxtrottOptions: AB

I like A and B for this one - enable the defender for containers plan - then ensure it deploys to your container resources with auto provision.

GuruleeOptions: AB

Since AKS was observed as excluded, it needs to be re-enabled and auto provisioned.

Fal991lOptions: AE

The two actions that should be recommended in Microsoft Defender for Cloud to produce accurate recommendations and update the secure score are: A. Enable Defender plans: Enabling Defender plans for Azure Kubernetes Service will enable the Defender for Kubernetes solution to collect and analyze security events and provide recommendations for improving the security posture of the AKS resources. Defender for Kubernetes integrates with Azure Security Center and Azure Monitor to provide a unified view of security posture and insights. E. Review the inventory: Reviewing the inventory in Microsoft Defender for Cloud will enable you to identify all the AKS resources and Docker images deployed across the four Azure subscriptions. This will help you assess the security posture of the resources, identify potential vulnerabilities and misconfigurations, and prioritize remediation actions.

Fal991l

Option B (Configure auto provisioning), option C (Add a workflow automation), and option D (Assign regulatory compliance policies) are not directly related to addressing the issue of excluded AKS resources from secure score recommendations. These options may be helpful in other scenarios, such as automating remediation actions or ensuring compliance with specific regulations. However, for the given scenario, enabling Defender plans and reviewing the inventory are the most relevant actions.

Fal991l

That's from ChatGPT. Does it sound interesting?

awssecuritynewbieOptions: AB

A and B for sure! I have tested it in the lab trust me

zellckOptions: AB

AB is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable

zellck

A streamlined, frictionless, process lets you use the Azure portal pages to enable the Defender for Cloud plan and setup auto provisioning of all the necessary components for defending your Kubernetes clusters at scale.

sbnpjOptions: AB

I would go with A&B

ArioOptions: AE

By enabling Defender plans and reviewing the inventory, you can ensure that the AKS resources are properly evaluated, and their security posture is reflected in the secure score.

MS_ExamsRuleOptions: AB

Although by default Enabling the Defender plan also configures auto-provisioning, to align with CAF you would then configure auto-provisioning to use a centralised rather than the default log analytics workspace. So its A&B

Jonny_CageOptions: AD

To produce accurate recommendations and update the secure score for AKS resources in Microsoft Defender for Cloud, you should: A. Enable Defender plans: This will ensure that the AKS resources are being monitored by Microsoft Defender for Cloud, which will include them in the secure score recommendations. D. Assign regulatory compliance policies: This will apply the necessary compliance controls against the AKS resources, which can help in identifying security configurations that are not in compliance with the required standards, thus affecting the secure score.

alifrancosOptions: AD

For me it's A & D, it's simple, first you should active the Defender Plan, and microsoft say that auto provisioned id activated by default, so, we cannot shoose it because it's given by microsoft, and for the secure score, we should have policy defenition assigned, else we will not increase secure score

TictactoeOptions: AE

AE CORRECT

josh_joshOptions: AE

The correct answer is A and E. No one can counter this statement. prove me wrong

ChaBum

so, you're guessing!

orreryOptions: AD

I would select A and D. Enable Defender plans: By enabling Defender plans in Microsoft Defender for Cloud, you can provide security assessments and recommendations for all resources, including AKS resources. Assign regulatory compliance policies: By assigning regulatory compliance policies, AKS resources will be evaluated according to security standards and reflected in the Secure Score. B is for setting up automatic provisioning of resources and is not directly involved in updating the Secure Score. E also is not directly involved in updating the Secure Score.

JHJ44Options: AE

Enable Defender Plans: Enable Defender plans for your AKS resources. Defender plans provide security recommendations and insights specific to the services you use. By enabling Defender plans, you ensure that AKS is included in the secure score calculations. Points: 1 Review the Inventory: Ensure that all AKS resources are correctly identified and included in your inventory. Review the list of resources to verify their inclusion. Any missing resources should be added to the inventory. Points: 1

vitodobraOptions: AE

Para producir recomendaciones precisas y actualizar la puntuación segura en Microsoft Defender para la nube en relación con los recursos de AKS, se recomienda: A. Habilitar los planes de Defender para la suscripción de Azure que contiene los recursos de AKS. Esto permitirá que Microsoft Defender para la nube recolecte datos de seguridad de los recursos y proporcionará recomendaciones específicas de seguridad. E. Revisar el inventario de recursos de AKS en cada suscripción de Azure y asegurarse de que se están siguiendo las mejores prácticas de seguridad. Esto ayudará a identificar cualquier problema de seguridad que pueda existir y tomar medidas para abordarlos.

GuruleeOptions: BD

Tricky…I can understand B,D. “ When you enable Microsoft Defender for Containers, Azure Kubernetes Service clusters, and Azure Arc enabled Kubernetes clusters (Preview) protection are both enabled by default.”

Gurulee

After reviewing closer, since AKS was found excluded, my answer would be A, B