Exam SC-200 topic 2 question 34 discussion

Seems like the answer is actually correct. "Azure Storage Analytics performs logging and provides metrics data for a storage account. You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account."

On exam - 19 June 2023

Activity logs offer a more precise and reliable way to identify the deleted blobs because they capture detailed information about each operation performed on the storage account. By analyzing these logs, you can pinpoint the exact blobs that were deleted, the time of deletion, and potentially the user or process responsible.

D) "Related entities" of the alert Question is saying you need to identify the blob involved in the alert you just received. Each alert in Defender for Cloud has a "Related entities" section. 'Entities' can be users, IP addresses, Resource ID, Hostname, File, Process. In this case, the Related entities section will have the resource ID of the blob related to the alert

The answer is D.

The answer is D. Related entities will have the details of the blobs that were deleted. The alert details does not give the name of the blobs, but will only list the "Operations" that was performed. In this scenario, the operation name is "Storage.Blob_DeletionAnomaly". (Ref: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-azure-storage#unusual-deletion-in-a-storage-account) The question expects you to use the tool "Microsoft Defender for Cloud", so try to stick with the options/features provided by the tool & not the complete Azure platform.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

Under the alert details there is a related entities field which will tell you to which resources are related to the alert. I would definitely start here before I dove blindly into the logs. https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

The answer is D. When you open an Alert(Delete operations on the blobs in storage 1) When you open the alert by clicking "View full details", it shows you the Alert details tab. If you scroll down, you will find the "Related entities" section. It shows Azure Resource (Resource ID, Subscription ID), Blob container (Name, Storage resource) etc.. It doesn't make sense the alert doesn't provide blob container name.

To identify deleted blobs in Azure Blob Storage, you can enable Storage Analytical logs. These logs contain details of each and every operation, including the ones that delete blobs.

Correct

D - Related Entities https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

The activity logs of storage1 and the Azure Storage Analytics logs are not sufficient to identify the deleted blobs, as they only provide general information about the operations performed on the storage account. The alert details provide more specific and contextual information about the activity and the related entities

https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-logged-operations-and-status-messages#logged-operations

Azure Storage Analytics logs provide detailed insights into the activities performed on your storage account, including information about blob operations like delete operations. These logs capture information about operations, including their types, targets, timestamps, and authentication details. By analyzing the Storage Analytics logs, you can determine which blobs were deleted and gather other relevant details about the delete operations. The other options are not as directly related to identifying which specific blobs were deleted: A. the activity logs of storage1: While the activity logs provide information about management activities and data plane operations on Azure resources, they might not contain the detailed information needed to identify individual deleted blobs.

Tough one, but B seems to be for "Storage Analytics logs detailed information about successful and failed requests to a storage service." I suppose I will go with A and be the black sheep based on these: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference

You are all incorrect. Answer is C When Microsoft Defender for Cloud generates an alert, it includes detailed information about the event that triggered the alert, including information about the specific resources that were affected. In this case, since the alert was triggered by an unusually high volume of delete operations on the blobs in storage1, the alert details would provide information about which specific blobs were deleted. Azure Storage Analytics logs provide detailed information about successful and failed requests to a storage service, including delete operations. However, in this specific scenario where you have received an alert from Microsoft Defender for Cloud about an unusually high volume of delete operations on the blobs in storage1, the alert details would be the best place to look for information about which blobs were deleted.