SC-100 Cybersecurity Architect Expert Certification Study Cram

hey everyone welcome to this SC 100 study cram hopefully trying to help you get the new cyber security architect expert certification as always this is

useful a like And subscribe is appreciated so the focus here is for this cyber security architect

expert certification and so we get this via the SC 100 new exam that the time recording

is in beta now in addition to taking this exam you also need to have taken either sc200

SC300 AZ 500 or the MS 500 so it's either one of

these and then you add in the SC 100 to get this new certification do you have a lot of flexibility there you just need one of them and then you're good to go

if we actually go and look at the page for the certification we can see it talks about hey yes the SC 100

exam and then it does talk about the actual certification itself and it shows you you the path hey one of these prerequisites then take the exam and

then you get that certification on the exam page it goes through how you can schedule the exam pay really close attention to this exam skills outline you always want to go and

look at this this goes through all of the individual skills that you want to be able to check a box next to and say yes I understand those I'm good with all of those various

things now one of the key things you will notice as you go through this and I did just take the exam so I just took the

exam so I could get an understanding of well what is the level that we need to understand for this it's a 2-hour exam I

had about 45 46 questions but it's very Broad and it kind of hints at that I can take any of these as a

prequisite and then the sc00 exam really covers the full scope of all of the different Security Solutions across all

of azure and Microsoft 365 it it's all of those so I need to have very broad understanding of what the different solutions do the capabilities they bring

but I don't need to know any of them to any depth there is no how would I do that in the solution it's none of those it's very basic questions hey I need to

meet this requirement which solution would I use or which solutions could make up part of this solution I finished in 30 minutes now there were case

studies I didn't read them I was actually in a rush but it was pretty obvious most of the time what you wanted to do maybe you would quickly go and hey based on business requirements so go and

look at the business requirements Tab and then whatever it might be there was no Hands-On lab most of them they were pretty short questions again it took me

half an hour not saying I passed but it took me half an hour and I was done and I felt pretty comfortable I had plenty of time to read the questions and pick the right answer so they it is very

short and sweet it's just a broad um exam again it is in beta right now so you won't get the results until it actually releases and then it can take a couple of weeks after it releases so you're taking it you don't know exactly

what you're going to do so it's not super complex it's not super deep you just need to have a pretty good idea of which Technologies solve which types of

problems so that's what I'm going to focus on in this study cram I'm going to really go through the different elements we think about and then what solutions

would be part of those um different requirements that I might have now a key thing to think in mind as we go through all of this is a big Focus today is all

about zero trust to keep that in mind through the entire exam and there are three key principles to this I did a whole video on zero

trust you should go and kind of watch that to get more information about it but we always think about verify explicitly I'm not trusting just because

something's on a certain Network that it's good no we're constantly going to verify we're going to revalidate the identity if it's a user a service principle

everything the device that's being used we want to try and validate that as well so we're going to verify everything explicitly we want to use

least privilege we have this idea of just enough permissions so the role that just gives me the permissions I need to do

something I'm not going to share identities ideally I want it only when I need it so we think about things like privilege identity management we Elevate

up to a role when we require it and that really builds into these is we assume breach once again we're not trusting

that Network we look at signals we look at Telemetry so we're constantly looking for some indicator of something bad happening a malicious actor some

ransomware whatever that might be we going to gather as many signals as we can from every everywhere we can because obviously the more signals uh the better context we can get the better

intelligence we can apply to look for some sign of compromise so it's all about signals and they're making a decision to enforce certain types of

access now as you go through this Microsoft has a whole cyber security set of reference architecture and what I would recommend is actually go and

download this so it's a PowerPoint and it's a huge number of basically pictures that go through all the things you might think about different types of

roles different types of solutions how they fit so go and download the file and take some time to really go through that and understand all the

different elements so that's definitely a recommended resource that you want to use so let's walk through the different

actors the different entities we have as part of all up solution so when I think about my environment if I think about the first

element and this really is the key to the door we think about identity now that identity we're thinking about that's users that's groups of users that's service

principles that's applications we have identities for all of these things and in the Cloud when I think about identity well that's Azure

ad so we have this concept of our Azure active directory that contains users groups application registrations

devices we have these different types of entity in there now there are different skews that we license uses for I can

think about well there's the free skew there's the Azure ad premium P1 then there's the Azure ad premium P2 different features use different

levels of these SKS there is a document that goes through all the differences actually between them this is in the link below but there's a feature comparison you can see well with the

free sure I get basic information I can use the mobile app as a second factor for my Global administrators they get more MFA type

capabilities but for most of the Richer features conditional access um flexible MFA for everybody you're really getting

into this Azure premium P1 world and then the P2 are more of the Enterprise features things like identity protection

access reviews entitl management and pin so those are are key features and we can on a per user basis we can enable different people for the different

features so we think about there are different skews available for this now when I want to think about this protection the cyber security types

elements when if I think about protecting the Azure a identities now this could be users um in preview right now is service principles as well so workload identities so we think about

the Azure ad identity protection so the identity protection solution is a p to feature so if I want intelligence about

risk of an individual log on risk of the overall users and based on different types of signals coming in well that's Azure ad identity protection so it's P2

i' need that license for these I also think about okay great that's going to give me signals of attack so but also I want strong

authentication we about multiactor authentication now typically MFA is a feature of

P1 so MFA with P1 I can use SMS um I can use phone calls I can use Hardware tokens I can use the authenticated app software tokens with free there is

something called security defaults that I can turn on so security defaults does enable me to have a MFA for users but it's only via the authenticator app only

through the software tokens I can't use text um it also will turn off Legacy Authentication Protocol so it tries to give me this locked down set of

capabilities just by default for that so it's going to block the Legacy authentication it's going to make the users do MFA for what it considers a elevated type I'm accessing the portal

it's going to make me do an M MFA for that but for P1 I get all of the different types of MFA available and obviously P1 introduces the idea of conditional access which we're going to

talk a lot more about but conditional access is typically how we want to drive having to perform an MFA hey I'm doing some eleva permission and also identity

protection feeds into conditional access with risk information so hey we're detecting an elevated risk okay then conditional access is going to make you do an MFA orbe make you change your

password or or other things but this drives that so we want the strong authentication MFA security defaults gives us a limited predefined

set of MFA we can think about password list I don't want a password at all and that is available across the skews password list could be hey I'm using the Microsoft authenticator app I'm using

Hardware Pho keys I'm using hello for business so I have a passwordless option as well now when I think of identity prote protection it's great talking

about the cloud and Azure ad identity protection and things like that but realize does our identity normally just burst into life in the cloud it doesn't

for most of the time what we actually have is we have an existing active directory domain services so I have my

regular active directory domain services and that has our users our groups Etc machines dra into it I may

optionally have something like adfs active directory Federation Services where I'm federating the authentication authorization from maybe other cloud

services so I can use my ID densities in my ad I can even Federate from Azure ad um to ad via adfs but it's generally not recommended it's better to just hey use

conditional access and use cloud-based authentication now what about if I want to protect the identities in here well we have Defender for

identity as has gone through a number of name changes but Defender for identity it deploys agents on all my domain controllers and if I have it my adfs and

it feeds that into a cloud-based service so this is now going and looking for signs of compromise is in my active directory environment past the hash

golden ticket um DNS dumping um a big syn of Records Etc it's looking for those types of indicators so was like Advanced um threat

protection which I think was the old name now it's Defender for identity so we have these sensors on the domain controllers on my adfs that's going to

look for those signs of attack now obviously if my identities are originating here I have to get them

to the cloud some wayway so what we have is we have Azure ad connect now there is an Azure ad connect Cloud sync where the engine runs in the cloud but what

they're doing is they're synchronizing mainly from ad to Azure ad there's a few things that write back but most of it is going that way now one of

the options we can turn on on this is I want to replicate and synchronize the hash of the password hash it's not the original password hash it's a hash of

the hash it's like a thousand sh iterations of per user sort so I can't reverse it but if we add this this is the recommended things like Azure ad

identity protection can now look for things like leak credentials so it can stop things like a breach replayer attack so by sending that hash of the hash even if I'm not

using Cloud off by adding that hash of the hash now identity protection when it's looking at the dark web hey it finds a leak credential and it can compare the passwords to say yes and

this is compromized so then in my conditional access that get signals from this hey the user is at risk make them change their password so conditional

access could drive that so I think about combining those things together so this is all about my corporate

identities now realize I may have other types of identity out there I may have for example my partners that I collaborate

with so my partners may have their own Azure ad maybe they have Microsoft accounts maybe they have Gmail accounts uh maybe they've got some other saml or

WS fed maybe it's a one-time passcode and I want to collaborate with them well if I want to collaborate with them in my Azure

ad I can create a little stop object that represents that external identity this is B2B functionality so it's people I want to collaborate with and

applications and Services I have that trust my Azure ad could be SharePoint could be Azure could be an application I've created I can add them using B2B as

guests so now they'll show up I can collaborate with them that's very different from if I have customers if I'm creating something for my customer I don't want customers in my

Azure ad so we have a separate type of azure ad we can create Azure ad B to

C so this is now the customers have all their social accounts Twitter LinkedIn whatever that

might be and they can use their social account in that Azure ad b2c instance to then the application you create that uses this they can authenticate I can

still have local accounts if they don't have a social identity they want to use I can customize every pixel of this experience but this is separate from my ad from my

Corporation I'm going and creating a separate Azure ad and it's a special type B Toc that has support for all of these different types of social identity they can bring and use in the

application so that's really the key Point around that from the identity perspective so identity is super important I'm actually going to touch on a few other types of identity later on

but really think about hey I want to protect the identities in Azure ad we have identity protection that's users that's service principles I think about

hey identity is in my regular active directory hey Defender for ident density through agents can detect types of activity and then different ways to

interact with external parties Partners hey I want them to have an external identity customers I don't want them in my Azure ad completely separate

instance so that's the identity well those identities are used from something so I think about the next

part is well there's the end point I have some device that they're leveraging now I realize when I think about endpoints there's a massive different types I can think about world

there's computers there's mobile devices my iOS my Android there's things like iot there's printers there's Network

there's a massive different types of devices that we have and these could be on a corporate Network they could be on the internet but remember with zero trust whether it's on our corporate

Network or not for the most part we're still going to treat it like the internet we assume breach we verify explicitly if it's on my corporate Network I'm not going to bypass any

checks I treat it almost like it's on the internet as well now one of the first things I want to do for these types of devices is well I can think

about especially here I've got that Azure idea I talked about users I want to register these now potentially I may even join

them my Windows 10 my windows 11 can actually join the Azure ad but at minimum I want them registered they become known entities to my Azure active directory environment because from there

it starts to drive other types of capabilities in terms of managing the devices managing in terms of applying policy managing in terms of getting

information about them so I can track compliance from a solution perspective when I think about the end points there used to be two and they've really

combined together so when I think about the endpoint protection I'm going to shift to a slightly different color we think about

Microsoft endpoint manager now Microsoft endpoint manager is really combining two technologies we can think about this

idea of Microsoft InTune that was all about our Internet connected devices our mobile devices could be those windows 10 Windows 11 Etc

and then we had the idea of configuration manager what word devices connected on our Network this could include servers as well for example so me is really

combining these two things together and what I can do is I can actually have a CO management scenario and I can think about using as

much or as little as I want I connect my configuration manager site to the cloud to my InTune instance and then I

actually have the ability to as a property of that code management configuration manager say well which features do I want to manage from the cloud which do I still want to manage

from configuration manager hey compliance policies endpoint protections client apps office click to run resource access policies hey some of that I'll do in config manager some of that I'll do

in Inu so I can pick the component I actually want to do but what Microsoft endpoint manager is driving is well there's types of policy

for example now with policy I can do different things I can think about compliance is it not jailbroken is it patched has

it got these various things and a huge part of compliance so Microsoft endpoint manager can detect the compliance status of our

devices is it healthy is it compliant well with that information that compliance status we can actually feed back into

conditional access which we're going to use later on to decide if we're going to allow access to something so these all really connect together I can also apply things like

configuration and think of this once again this goes across different types of devices there's also other things like inventory that there's a whole set of different capabilities I have over

here if I jump over super super quickly so if I let exit out that I'm going to close all these down for a second so first see if I was looking at the Azure ad I talked about identity

protection so hey it's got those user risk policies signin risk policies but you can see I can see things like risky users risky workload identities risky signings different types of risk

detection so have all of those capabilities I have the defender for identity that's the on premises is going and actually looking at for example my

various um we got my sensors on my domain controllers installed so I can see all those pieces of information there and then when I think

about my actual endpoint manager so this is where I can go and look at those devices they've got registered in azuread then I can go and

manage them through Microsoft endpoint manager we can see hey look Windows Android iOS Macos Windows mobile and through the

devices well I have these different types of capabilities hey look I can create compliance policies I can create configuration

profiles I could deploy software deploy certificates different things I want to do but if I do a compliance policy I can create a policy it's going to be based

on the type of platform so I'm going to see all the different platforms we get support from here likewise if I was to actually

create one of these Windows 10 Windows 10 compliance policies for example but also I could do a configuration profile and a

configuration profile once again we get all the choices and then I can say well is this settings catalog is it based on the old style kind of admx type things

we had with Group Policy so we're not losing functionality more and more the things we used to do with group policy for example I can now do with this as well

so we have all of those types of capabilities actually available to us so think of Microsoft endpoint manager as I want to apply configuration but also I want to understand the compliance of

that device by creating the policies and then I can use that compliance information to feed into things like conditional access which I'm going to use to make decisions on access later on down the

line and again you kind of pick that level I might be all configuration manager I might be all in tune I might have that code managed and I'm using different things for different parts

often as a customer we'll move through the stages maybe I've started off configuration manager then I'll start moving bits of functionality to the

InTune until I'm 100% cloud-based now the other thing I can do is then we think about so that was me Microsoft endpoint

manager another very important component we have and I'll do a slightly different color is we have Defender for endpoint now Defender for endpoint is

doing a number of different things it's all about the idea of protecting so stopping things happening detecting okay something's happened and I want to know it's happened I want to

be able to trace the complete path of things hey someone clicked on thing this thing then fired off this process this process then went and spoke to this and then talk to these other machines I want

to be able to detect all of that happening and respond so Defender for endpoint is doing this and one of the things Defender for endpoint as part of this

detection it can go and see hey something's happened if there is a breach I get visibility into it I can isolate respond to those attacks it's different types of end points

it can help me discover endpoints that maybe aren't managed uh Windows endpoints uh Windows Server endpoints Linux Mac OS I IOS and Android or mobile

terms it's going to give me information about them and then surface that information and then based on the information show me known vulnerabilities to help me go and

actually protect them it has a full threat and vulnerability management components there's a dashboard it has an exposure score helps me understand my entire organization and then well what are the

biggest impacts to my devices so I can go and focus on those different severities different patch levels and recommendations of what I should do

first based on those highest priorities and the key Point here is when this detects a problem maybe some machine is

been attacked it can actually feed that into the compliance state so I can connect Defender for endpoint into me so that when it finds something that's gone

wrong so hey a machine is flipped to non-compliant because there's a certain risk score well that will then flip this policy which then flips conditional

access when it's healed hey it will notify the compliance get a new token and I'm good to go so they work together to help give me these different levels

of protections so this is really a key component when I think think about this this whole protect detect there are things like attack surface reduction rules I.E all of the different places

rules I.E all of the different places attacks can occur where a threat is likely to attack I might block certain types of office apps from types of

behavior block types of content from emails different scripting rules JavaScript python U macros Powershell block those things you can understand like

polymorphic threats so it's going to look and block if something isn't running on a certain number of machines for a certain duration it's not on a trusted list don't allow it don't allow

things to run from USB stop lateral movement stop credential theft maybe types of behavior from PS xac or wmi process Creations don't steal things from the

lsas so Defender for endpoint is doing a whole bunch of different things and yes it has an antivirus an antimalware component it has the basic sets of client teristics based on signatures but

there's also local machine learning models for those kind of day Zero things it has cloud-based machine learning rules it understands hey there's some suspicious file well I can upload it

through a deep neural network classification inspection detonate it in a chamber to get a deeper analysis and classify those threats there's a whole set of fantastic things that this

Defender for endpoint is doing but it really is you sure protect it antivirus antimalware detect it okay we're seeing these behaviors then help me actually

respond to that so there's really a a key set of features around that there's automation to surface those recommendations and automatically

respond to them um maybe block that client straightway block those types of actions so Defender for endpoint layers on top of

that and then obviously I have these computers I have these devices well there's also Defender for

servers now Defender for servers does a whole bunch of different things I'm going to come back to this a few different times but when I think about the end point and protecting it one of the things it

does is it has this adaptive application hardening and what that means is again it's these idea machine learnings it

looks at what normally runs it creates an allow list and then if things try and run that's outside what it's observed it's not going to let it run it's going to stop those things happening there's

things like file Integrity monitoring that's part of this as well core OS files core application files something tries to change it it's going to stop that

happening and remember verify explicitly so for these devices when we're having all the different types of interactions Think Mutual authentication we don't want the

endpoint just to validate hey I'm really talking to this service the service should validate hey this endpoint really is who they say they are I've got some mechanism to deploy certificates to the

devices that I can then validate app Gateway for example in AIA has Mutual authentication capabilities a lot of the iot solutions they will validate the

identity of that iot device talking to them because hey I got some sensor giving fake information that's then going to drive me to do maybe strange things I

don't want to do so we always think about that Mutual authentication type of interaction so we got the identities we got the end points now we say we don't

trust the network but obviously we we have a network still so we have this idea of the network

and it may be part of some decision criteria that we want to use now when I I start about the network I mean the key thing here is and I'll

just kind of highlight this we don't trust it just because say's on a certain network doesn't mean I give it a free pass to do whatever it wants we're still

going to verify explicitly for everything it's trying to to do but we may use where it is on the network potentially as one part of a decision

criteria now if I think about the networking side in an Azure World our core Network structure is built around this

idea I'll make this big so I have some space we have a virtual Network so I have a certain virtual Network which remember exists in a certain

subscription in a certain region it's made up of at least one ipv4 range optional

IPv6 so what can I do here well remember my virtual network is broken up into virtual subnets dra two for the time

being I might want micro segmentation so how do I control the flow of information within the virtual Network and coming in and out of the virtual Network

so the first thing we'll actually use is network security groups nsgs so an NSG is a set of

rules Source Port Source IP range destination Port destination IP range protocol allow deny priority I have all those elements that I build in and then

I attach it to certain virtual networks subnets so it then applies those rules to control the traffic there's things like application security groups which

is a tag on the nick of a resource and then instead of basing it on IP address I can say well is the Nick tagged with this particular tag SQL VM or

compromised and I might apply different rules to it so network security groups enable me to add a layer four so a key point this is layer four it understands

TCP UDP Port IP doesn't understand application hdps doesn't understand fully qualified domain names anything like that but this enables me to do

micro segmentation hey I'm going to let these things talk but not talk to the internet or not talk to this other subnet so nsgs helped control this now I did mention Defender for servers and I

said hey adaptive app hardening um the whole fim capabilities and there's a whole set of other features I said well one of the other features it has is a feature of

adaptive Network hardening the whole point of that is just like the Adaptive app hardening sure I've got nsgs but what the Adaptive

Network hardening is do is going to provide me recommendations based on what it's seeing based on the traffic observed indicators of compromise St intelligence to say hey great you've got

this NSG but just a bit generous you have these things open that you really shouldn't have open let's lock those down a bit so it's going to give me recommendations to change my rules to

make it more restrictive now additionally actually got to take this one out I have services like Azure

firewall so Azure firewall is a managed native Appliance the auto scales as different skews available but the whole point of azure

firewall is well it understands those layer seven constract so fully qualified domain names you can understand the full URL so it can do classification not just based on the fully qualified domain name

but also the URL the path-based part of it as well it has threat detections it can do TLS inspection it can sit in the middle generate aert to my client that represents the server I'm trying to talk

to actually look at the TLs traffic so then even if it's TLS it can still do categorization and rules based on the path not just a fully qualified domain

name so it's a super super powerful feature and to use Azure firewall what we do is we have userdefined R UDS which say hey when

you're trying to get to this path actually your next top is this Appliance it has a certain IP address and then it can go off to to wherever it wants to go could be the

internet could be some other network so I can drive traffic through by defining these userdefined routes to say hey to get to here this is your next

hop one of the nice things we can do with Azure firewall is sure it gives us all of that great protection but we can integrate it

with other things so imagine I have a global service so if I think about Global Services we have azzure front

door so Azure front door is global so it's not Regional it's not confined to one Azure region it's a global Service it's layer seven so it understands https it can do any cast on different points

of presence so I get a great experience it can do split TCP to terminate the connection to my client and then go and talk to the services that can actually render it it can do TLS offload then it

has all these different types of capabilities for me but one of the things I can add to this Azure front door is

WF web application firewall so if I think about the oos top 10 protections I think about rate limiting this can apply it so even before it gets to my resource

it's giving me protection I can add custom rules to block for example certain types of traffic so I have that ability at a

global level now at a regional level well I have app Gateway Now app Gateway also can have W

added to it so that's another option once again um this is a layer seven technology so it understands https

you can do SSL offload things like that but this also is now using this core rule set from the OS the open web application security project so this is

going to give me protection so hey maybe I've got applications behind this I want SEL injection protection I want command injection I

want cross site scripting protection I want protocol violations or protocol anomalies crawlers scanners all those things blocked well app Gateway when I

add in the W gives me those capabilities and once again I have the custom rules so there's different things I can do this is a regional it lives within a certain region then front door is a

global solution from a security perspective I also want to stop things like a distributed denial of service attack so

one of the services I can add is the distributed denal of service protection and there is a standard skew there's also a free skew a basic which applies

to everything but I don't have any control over that it's really designed to stop very large scale DJs attacks whereas the standard offering is saying I create I then link

it to my virtual Network and it protects all of the public IP addresses that are associated with resources within there it uses machine learning to understand what's a typical Behavior so

it gives me a lot more granular protection I get great reporting from that I get the ability to maybe get support drawing an attack there's certain SLA based protection

so I have these great capabilities with that dos protection standard option there if I think about other types of

workloads not everything lives within the virtual Network so I might think about let's take a few different scenarios I might think well there's

some instances that lives out here and I've got some service now of a certain type so we'll

say it's of type service one so one of the things I can do remember I'm in my I have a certain subnet I can use something called

service endpoints so what a service endpoint does is I can light this up for

service one types of a service endo and then what that does is it makes this subnet a known entity to the native

firewall solution that pretty much all of the services have I can do allow listing to come through and when I add that I could now add a rule to say hey

this is subnet 3 of vet one and it could say hey excuse me subnet 3 of vnet one sure you're allowed through so subnet 3

you can come through but it only applies to Services running with in that subnet I can't use it from other things so the

other thing I can do is I have an actual instance of a particular service so maybe here this is a postest manage database

or SQL whatever it is and this is actually DB instance 3 and by default remember all of these things they actually have a public endpoint so it's an interet accessible

address we lock it down if we want through the rules we want to authenticate to it but it's still a public endpoint with a service endpoint I'm still accessing the public endpoint it just gives me a slightly more direct

path to it maybe I don't want that so the other thing we can do is I can actually add a private endpoint so this is private

endpoint one which links directly to a specific instance of a service so this is using

private link so it's a private endpoint which is part of the private link service and if I wanted to now I could completely disable the public endpoint

hey everything has to come through this private endpoint and one of the great things is this is just an IP address so this IP address I could actually access

from other subnets from PE vets from on premises networks that have a sight to site VPN or an express route connection they can all get to that so if I had

other networks kind of sitting over here as long as there was some connection a sight site VPN an express route private

peering hey they have a path to it as well they can use that path to get to that instance of the service there's some DNS configuration I require as well that would give me now a private path to

that particular service so that's a really powerful thing to do so private endpoint is all about talking to a

service um imagine I had something like app service an app um an app service instance I could do a private endpoint

so I could do a P2 to talk to it but what if the app service wants to talk to things in the v-net how does that work

well there's vnet integration when now it can go and talk the other way um so there's this capabilities I can do

there some services will actually deploy into a subnet in a virtual Network so an app service by default exists out there

but it can talk to things in a v-net another option would actually be for app services hey I take a particular subnet

and I deploy an app service environment we're currently at V3 so all of the things that are normally shared that make that work they now all live within that app service environment so it's

actually in my virtual Network so I don't have public end points I don't have to worry about private endpoints or v-net injection it's running in my virtual

Network things like SQL managed instance runs in my virtual Network and many other services that follow this pattern or use a delegated Subnet in which to

talk so those things happen as well and realize different Services have different capabilities for example AKs the Azure kubernetes

service that has the idea of for example an open service mesh that's an add-on for AKs that's uh an Envoy based so it adds a side car to the pods to add networking

capability is which can then add pod tood mtls it encrypts all the communications it can do traffic shaping like Canary deployment patterns or blue green it can send portions of the

traffic to different sets of PODS depending on how I'm rolling out an update it gives me very granular access policies even beyond what nsgs do within the pods gives me visibility and much

much more so look at the individual service to understand well what are some of those things I can actually do for that all up solution so it's important

to kind of understand that there are many different capabilities so we have the network and then if we keep flowing

through and Beyond there we have the infrastructure so what's running on the network is my infrastructure now see that that's huge in

scope and there's different things I want to do when I think about the all up infrastructure is my environment one of the biggest things we want to do is to understand our Cloud

posture what is our overall security posture what is our compliance to maybe different types of Standards what are recommendations we can

do so the key solution we use here is is Defender for cloud this used to be the Azure security

Center so now it's Defender for cloud and so this is all about hey understanding that cloud

posture how healthy am I what is my compliance state for example and there's a built in aure security Benchmark that it's using to drive a lot of these

things and it can then drive some key recommendations to help me get a better um posture and a part of this posture is hey I get a secure

score and different things have a different amount of points so the higher the number of points the higher the priority hey if I'm not getting those points uh I'll go and focus on that

first to try and improve my overall standard now there were that built-in Azure security Benchmark kind of just there by

default but then what we can actually do if I jump over quickly if I go and look at Defender for cloud so there's a free

type of capability then what we really want to turn on is you have these enhanced protections and then you'll see there's a whole bunch of separate Services

Defender for Cosmos DB for storage accounts for key volt for resource manager for DNS these all add enhanced protections Defender for server is all part of these

but what I'm actually when I I think about these things if I was to for example let's look at Regulatory Compliance so by default it's basing on

this Azure security Benchmark but I can add additional ones now I have to have turned on the Azure Defender to enable me to use those additional

standards but I can still go and look at them so if I just pick a Management Group where it's not actually tied down to a particular element notice I can add more

standards look at all the different standards that are available so I can say hey I'm subject to this certain industry I could go and add one of these

or multiple of these to my environment as well so when I think about using these what these will then give me is

when I start looking at my overview I'll start to see my security posture I'll see my Regulatory Compliance on the different ones I've added it would actually show me those

right here and give me recommendations so the key part of this is yes I can go and add additional

compliant standards so from here I can absolutely add additional but what I have to have done is the

subscription must be enabled for that enhanced and then I can go and add whatever particular Compliance New hipper whatever that might be I want to

actually enable for that so the defender for cloud is giving me those capabilities and the key thing you probably saw that on the screen is yes it's azure

but it would also go and talk to AWS and the Google Cloud so it's going to give me those features as well now when I think about the

environment and I think about we can start with Azure but it actually goes beyond that one of the big things this can

drive slly different color is actually Azure policy so I can think about Azure policy Azure policy is some particular thing I

want to do it's a control it's a guard rail or maybe it's just saying I want to track for a compliance hey you can only use this type of storage account um you mustn't create public IPS except in this

particular subnet hey you must have this agent deployed and maybe what I want to do is just track it for compliance purposes so I'm going to let you do it

but I want to know about it or maybe I'm actually doing it as I'm going to block it it's a guard rail maybe I'm going to remediate I can actually go and fix these things and when I look at these

secure scores and these recommendations behind the scenes these are actually using Azure policies there's a built-in Initiative for the a security Benchmark that it

applies and then goes and looks at that to drive my secure score to drive those recommendations so it has all of those things and that Azure policy

typically is talking to the Azure resource manager the control plane of that but what it can also do is well there's other Cloud support but also I

have the option to do in guest configurations through my Azure policy and what this is doing here is for Windows and Linux it's using Powershell

DSC and also for Linux it's using Chef so I can actually Define requirements I want within the guest itself through Azure policy so then that could be in

Azure it could be in another Cloud it could be on premises I can drive those various things from there now one of the other things I can

do at this point when I create Azure policies I can link them to a subscription I can link an initiative to a subscription but I might also go and

create the idea of a blueprint so a blueprint is is made up of

policies um Resource Group definitions Ro base access controls and even um templates and then I can assign that

blueprint to essentially stamp down that configuration on a subscription and likewise I could directly apply the

Azure policy I don't have to go VI a blueprint blueprint gets this combination of policy Resource Group definitions arback and templates that I could then link to a subscription to

apply some configuration but remember as a policy has that guess configuration it has policy for things like kubernetes which it's actually then going to using gatekeeper inside kubernetes to apply

policies that I've defined in Azure policiy so there's really just a huge huge scope of these various types of things I want to do

now when I think about these um all up sets of protection for infrastructure realize there's many different solutions here but I told about Defender for cloud at the the key

fabric level But realize what you what you're actually going to see is Defender for dash dash dash nearly everything has some Defender

element so if we went back here for a second just to show you hey if I try and turn these on notice all of these different types of things Defender for servers Defender

for app service Defender for SQL Defender for the managed databases for storage accounts for Cosmos containers kyol all there's a huge set of these and

these all have intelligence about the types of threats that can affect these various types of resources so when I think about my workloads there's just a

massive set of Defender Solutions available for me that I'm probably going to want to leverage as part of that so that's a part of the all up solution now one of the big things we

care about for security is encryption so when I think about my Azure resources hey I have some resource this could be a database it could be a

storage account there's many other types of things and we talk about encryption in transit and we think about TLS requiring encryption as we talk to it then we also think

about encryption at rest and in Ain any every I really can't think of anything that's stateful that we care about that isn't encrypted but there's an option of a

platform managed key so platform managed key is azure is managing the key Azure is rotating it when it thinks it should

to Industry best practices or I can have a customer managed key I bring your own key with that you're specifying the key

and also you pick when you want to do things like rotate it what are your requirements hey thanks happen you want to rotate straight way you have that and

the way this works is one of the key Azure Services we have is azure key volt and really aure key Vol is a key service you're going to use when I think

about any type of sensitive information so as a key has support for things like secrets so a secret is something I can

write to and read out of um an access key a password it has support for Keys something I can generate I can import but I can't read out but I can

perform cryptographic operations through the key volt using the key sign something decrypt something and support for certificates the life cycle

management of that Ser I'm Distributing the ser and for the key if I'm using the premium skew for example or I'm using a

managed HSM this can actually be HSM back so it always uses a hardware HSM as part of that and when I use a

customer managed key it's stored as a key in my key volt so notice my Bard is slow going down just a little bit so let's um refresh my board just for a

second it seems to fix the performance side of it hopefully there we go hopefully outperform a bit better again so we refreshed our board um so it's going to use your Azure

key Vol to store the key now it may not be actually encrypting with that key there's often a data encryption key and it's using this to encrypt the data encryption key but fundamentally you are controlling the key that's being used to

encrypt the data so you then have control over that rotation different Services encrypt differently like SQL has transparent data encryption for example so there there's some encryption

going on now I can then think remember so that's one type of resource there are other resources and

actually there's building block resources I can think about a VM so one of the things we like today are the Gen 2

VM so the g 2 is UEFI based Hardware instead of the old bios based and it gives me a virtual TPM one of the nice things the virtual

TPM lets me do and with the Gen 2 is I can turn on trusted launch so it's only available with the Gen 2 it's using the virtual TPM that

gives me an attestation from that virtual UEFI all the way through to the booted operating system saying I can measure I can validate before I let other things happen so that's a nice

security solution we can then build on top of this for things like confidential compute and there's different offerings around here but this is all about hey

that memory and the CPU is encrypted now there are options for in

doing this at the Tire operating system uh the AMD Bas used or there are ones that do this at an enclave so The

Enclave of the Intel um sgx so I have to change my app to be able to use that Enclave whereas the AMD whole OS I don't have to do anything

special to use them it's just there it's giving me those capabilities but I have those different levels of capability around that and again there's there's all these

different Defender solutions for these Defender for AKs is a very popular one and remember AKs can be Windows it can be Linux and there's different protections depending on what I what I

do with that but the whole Defender for containers don't think of it as only AKs in AIA it's any managed kind of kubernetes

environment which we're going to talk a little bit more about later on now when I'm thinking about my resources just all up

resources one of the key things we always want to think about is this idea of least privilege I think least privilege in

terms of the role so we have role-based access control which is this security principle a user a group a service principle managed identity it's given

this role at this scope managed um a subscription a resource Group hopefully not a resource maybe a management group but it's a certain permission I should

have the smallest possible role that does what I need and ideally I want it just in time now the just in time

solution is azure a privileged identity management this is a P2 feature so when I think about that

Azure ad over here and I think about the P2 another feature of the P2 is PIM the privileged identity management

so that's another component um of that but the whole point of what this does is either at the actual Azure ad roles or the Azure

resource manager roles it gives me the permission only when I actually need it I have to go and Elevate up maybe have to do an MFA I have to get approved

before I get that role so more privileged roles rather than me having them all the time I would Elevate up through Pim and I'd have it for two

hours now the ad version of this let's go green so that's for Azure ad roles what about if it's my old style active directory domain services so there

something called Pam privileged access management or that does it uses a Bastion Forest where I have duplicate groups I have a special

trust to this Bastion Forest it uses the same SIDS so my token has a certain Sid in it it's a tie bombed membership so I get a roll for a certain amount of time but that's for active directory so

there's a different solution when I actually want to do this on Prem compared to actually things in Azure we talked about the RB back giving

it to a user or service principle I said a managed identity anytime I have some application that needs to talk to something else it needs a role and it has to have

permission to that resource if it's a regular user account I have to somehow store a certificate or secret that the app has to be able to get let say it's running inside a VM or an app service or

container to be a to authenticate to Azure to get a token to talk to the resource hey John store it as a secret okay how do I authenticate to the key

Vol to get the secret so one of the things we can do is we have the

option to add do in Orange a managed identity to an Azure resource

now this can be a system assigned I.E

that managed identity is linked only to that individual resource so let's say this is actually called vm1 so i' basically have a managed

identity system assign vm1 or it can be user assigned user assigned the managed identity has a separate life cycle and I then grant that resource the

ability to use that managed identity why I would want to do that imagine I had lots of resources that needed the same sets of permissions to other resources rather than having to give 10 system

assign managed identities the same set of permissions hey I'll create a user assigned give it permissions and then let these 10 resources use that identity

so that's the point behind it but then resources within apps inside this resource can just get a token as its managed identity through just Azure and

then use it to get permissions so the whole point here is the AR back on this resource for example would say hey um

managed identity vm1 you have contributor role for example or maybe it's a data plane permission many services today support are back at the

data plane level so I might leverage that um as part of it when I think of virtual machines one

of the key things we often want to do is connect to it say I I I want to get to this resource

and how do we control that so I want to use for example RDP or SSH I don't want to leave those open

definitely not to the internet but even maybe on internal systems so how do I use those so in

aure in any network we might use a manage jumpbox so in aure the manage jumpbox service is azure basan that deploys into our virtual

Network so it takes up a certain subnet and then I as the user typically through the portal to the Azure portal I do that way

too small but I can actually also use the native Tooling in preview through the Azure CLI I can then kick off mstsc for

RDP or SSH I talk to the Azure Bastian which then lets me RDP SSH to the services so if I want to manage

jumpbox typically accessed bya the Azure portal so I can apply things like conditional access to add controls around being able to use that service I

can use Azure Bastian for that now the other thing is typically this VM might have a network security group applied to it which is blocking certain

Communications so one of the other things I can do as the user I can actually leverage something called jit just in time access so I can go and

make a request for a certain IP it could be my IP that I'm accessing from or maybe I'm using Azure Bastion or Azure firewall

and I want to enable the IP space that that lives in for a certain duration maybe 2 hours and when I raise that what it do

is it modifies the NSG for that period of time to let the communication from me or from the Bastion then after that period of time

expires it closes it again so just in time is doing that now this just in time is a feature of Defender for

Server so jit is a feature so it's the those whole Defender Solutions I turn on that enhanced protection Defender for server is what is giving me that ability

to do jit to a particular workload so it's letting me do those capabilities now when I think about the the

manageability I talked about this infrastructure and Azure policy and Azure policy is one of these huge lovely things about AIA but there are other elements so hey I've got AIA

and the control plane of azure is the Azure resource manager and one of the things is when I talk to the Azure resource manager I try

and perform some operation it's always checking hey it's Azure policy hey the guest OS configurations and that's just native

anything I do to Azure is always going through the Azure resource manager but there are many features that that arm control plane brings hey those things

like arback tagging um the policy is an obvious one there's various types of extensions there's various types of services there's bringing those Defender

things well what if I have other clouds

other and I want to manage things in those other clouds or I have things on

premises I want to manage those as well so the way we do this is we have Azure Arc it does not stand for

anything Azure Arc lets us extend that control plane to things in other clouds to things on premises and we have Arc for servers

Windows Linux and then I can bring hey these capabilities there's Arc for kubernetes if it's cncf

compliant I can use Azure art for kubernetes and once I have Azure art for kubernetes I can then do Azure Arc I can add some of the data services like SQL

um like postgress hyperscale I can add some of the app Services I can add some of the AI Services it basically deploys green container instances on top of that

kubernetes environment to bring other Azure things to that so Azure Arc and then the workloads running inside be it

OS instances be it kubernetes I can then bring those in and manage them and bring capability through Azure Arc but then I can even think about well

okay that that's one part of it that's great but these other clouds for example how can I bring maybe some of those other compliance those Cloud

posturing solutions to the cloud itself so when we think about Defender for cloud remember I drew Azure uh AWS and gcp well Defender for

cloud I can use there and one of the great things a Defender for cloud does is it adds things like automatic agent

provisioning so what does that do okay so I'm now managing the cloud through Defender for cloud I've on boarded AWS gcp as it detects Services it can now on

board agents which could then bring it into Azure ARC Management so they come together hey the cloud itself's posture

management hey Defender for cloud AWS gcp the workload inside it management hey I'll use Azure AR Azure is extending the Azure control plane to that and then

you get things like policy man management and the exact features will will vary depending on is it AWS or gcp the AWS seems further aart at this time

but vulnerab vulnerability management um security configuration compliance I can get log information to drive behaviors on these I can get Defender deployed to

these Solutions on top of the arc to start protecting those services on top of there as well so it's the other Defender Solutions can come into play as well um Defender for endpoint for the various

types of protections remember so we have all of these amazing things going on if I zoom out for a second just a crazy number of things

across identity the EMP points themselves the network and the infrastructure what do I do with all of those things so I can really think at a

fairly basic level what's really happening across all of those systems is what I'm getting in actually have blank on this

bit from all over the place fundamentally I'm getting signals I'm going to gather signals from all of these places and what are signals

give me well signals help me understand the context of what someone is doing what's happening is it safe is

it risky is it all of those things so how do I apply some logic to that context and then drive controls well is conditional

access so conditional access is really what's going to drive once I've got that context is then going to drive my

control and remember condition that was weird I remember the conditional access this is part of azure

ad and remember specifically it's Azure ad P1 now if I want to use signals about user risk from idenity protection then I

need P2 so it depends on exactly what feature I'm using but it's giving me those various capabilities if we was to jump over super super quickly

the whole point here is if I go and look at um my Azure ad and I go and look at my

security look at my conditional access so yes there are locations in conditional access I can create a location based on the country and the

country can be based on the IP address or if it's a mobile device the GPS coordinates or I could create a location based on a particular range of IP

addresses I can create things like terms of use PDF documents people have to accept but then what I'm doing is I create a policy I assign it

to certain users certain groups maybe certain service principles I can apply it to certain roles I can apply it to all apps I could

apply it to certain types of actions like hey I want to register my security information or join devices hey I want extra security if they're going to go and register for MFA for example so I

can apply it to different types of things then I have conditions user risk this is where I need azur P2 signing risk I need P2 particular device

platforms obviously it's a Windows Phone really want to be pretty concerned if someone's trying to log on from a Windows Phone in this day and age uh I can

exclude I can do it based on location I could do certain client apps I could filter for different types of devices maybe I'm looking at property of devices like it's a sore only if it's a sore

does this apply and I allow access through but then I give controls control could be block access it could be Grant access it could be I'm going to Grant

access but I need them to do an MFA or it's Mark's compliant depending on me which could also get signals from Defender for endpoint hey it's hybrid Azure ad joint it's an approved Client

app that's an app protection policy they've accepted a terms of use it's all of them it's one of them I have all of these different options and I can even have session controls different types of

app enforced restrictions hey conditional access app control Defender for cloud apps has a reverse proxy that I want to actually control the access in case I want to revoke it if I see

certain strange things so conditional access takes all of those different things we know about and then adds that

control and the key point about all of that control is within giving control to something and ultimately what we're

giving control to is really the bit we actually start to care about all that other stuff I don't really care about it's not particularly adding business

value to me what I care about is the next set of bits what I care about is it's giving me control to my applications cuz the

applications are the gateway to my data so I use the conditional access now my applications if I think about they might integrate with my Azure

active directory they become an Enterprise app or an app registration if I'm creating it myself so then it's an application in

the Azure ad and I could then use Azure ad features to actually GR access to it as part of my identity governance there's the idea of access

packages and people can go and apply for an access package remember that's a P2 feature as already premium P2 to get access to the application they can go

and apply for the package to get that so that would be one way I could enable access to it this application remember well maybe

it's some other external software a service sitting out here so what do we have we have that Defender for cloud

apps this is the cloud broker so Defender for cloud apps what that's doing is it's looking at well things going via azuread tokens requested it

can get feeds from network devices as well and it can then go and hook into these apps if it supports it via an API so it can actually gather information via the API to see what users doing hey

they're downloading a lot of documents that's that's weird um hey let's block them out if it doesn't support that there's an optional

reverse proxy component so to access the app I have to go through it so we saw there were session controls well the session control in the

conditional access policy says you you have to use the reverse proxy to get to the service so now I can control I can see what's happening I can block access if I need to as part of that I can

detect Shadow it now because I'm getting those feeds from the apps from the authentication happening I can go and see those various things happening if it's a sanctioned or unsanctioned

application one of the great things this does is I can actually find where I am so Defender for cloud apps one of the nice things it has it would discover

what you're doing but it has this Cloud app catalog and the Cloud app catalog has thousands and thousands of applications it has risk scores so is it

really a good app if I see people using it is that okay it shows me I'm just going to pick one at random it shows me why it has certain risks okay so what

can it do from a security from a compliance what does it me so it will show me this for all of the applications it discovers so I can then make a decision on this application well do I

want to allow it or do I want to block it I now have those controls actually available to me now what about there there's another

element applications we do need to think about if I'm writing my own custom application well then there's a whole set of devops

considerations I have code most likely we're using GitHub maybe we're using Azure devops but one of the nice things about

GitHub is it has this Advanced security feature and what Advanced security does is actually a few different things so one is it converts my code to data which

I know sounds kind of weird but by converting it to data I can then run code ql queries against it to look for mistakes in my code that would expose security

vulnerabilities um it has a depender pot it creates a dependency graph of the things my app is using and understands vulnerabilities in those dependencies can create a poll request to say hey go

and update to a newer one so you don't have this vulnerability in your code anymore it can find Secrets I've got in my repo different elements there's pipelines there's repost there's whole

sets of stuff hey you've got some secret from over 45 leading providers uh you should go and do something about this CU this is not a good thing that you've got going here think about that complete

pipeline if I'm have a pipeline if the identity is weak for the pipeline or vulnerability is added in could be a template in my repo my app code where someone can insert something bad in

there that then gets deployed to my production environment so there should be various Gates and checks going on there should be validations going on I should really make sure I'm locking down those principles that have those

permissions so don't forget about that whole set of things that we have in play there and then really the the last part of that flow and the bit we really

really care about is the data I mean that's ultimately what a lot of the things boil down to and I want to

understand well what data do I have out there um and then maybe control it so a big solution is Microsoft purview and the whole point of Microsoft

purview is it will go and discover data wherever it is doesn't have to import it into Azure but it will go and discover the data from all across your environment and once it does a discovery

what it will then let you do is actually classify it and it will also show you things like the lineage where did it come from where did it go through how was it transformed

where did it end up now once I do that classification I can do things apply labels to it and with the labels I can use

information protection so there's a different solution and what information protection lets me do there a separate compliance Center it defines the labels that I'm

applying there and once I have the labels I can then choose to do protection hey if it has this label which was based on its class apption I might have data leakage prevention rules

applied to it so it can't be shared um there's other native solutions for example SQL database and SQL database has its own

sets of Discovery um classification um sorry Discovery classification protection it can do things like data masking hey I found this type of data

let's hide all of the characters except the last four social security number for example says features it can do there to help protect and stop people seeing that

that parts of the data when I think of information protection hey my office applications there can be automatic rules applied if it detects types of data it might offer a suggestion hey do

you think you should classify it as this based on the types of data we're seeing and they user could accept it or give a reason why they're not doing that there's a whole set of protections around

this now also remember your data you're probably backing it up so think about things like Azure backup I might be using the Azure backup

service to back up my data if someone's doing a ransomware attack against me a lot of times they're going to go after the backups uh delete them and there's things I can do like soft delete but how

can I protect the backup so as your backup really has two key mechanisms one is a pin so I have to get a pin before I can do actions against it the other one

I can do is a multi-user authorization and what this does is there actually a resource guard so before I I don't have any permission because there's a resource

guard on my Azure backup someone else has to go and give me a permission short term so I can then do actions against this and it might be a different subscription completely the resource

guard so so it's completely isolated from someone being out to attack my subscription to go and mess with this resource guard say capabilties I want to protect my backups in case people do bad

things because they're typically going to go after that so we have all of these amazing sets of capabilities across the identity the

endpoint the network the infrastructure then we get the signals to drive conditional access key them is Defender I mean Defender is just a huge solution um around a lot of these be it for the

cloud for endpoints for different workloads obviously Microsoft endpoint manager is huge I'm Azure ad identity

is the lock and the identity is the key to get inside there so identity really is everything when I think about modern

um zero trust verify explicitly all of those different aspects to it so understand the different solutions and how I can apply things Azure policy is

so powerful hey um I want to disable this type of access on an Azure feature hey Azure policy can do that it's that guard well those controls I can

have now there is one kind of element I talked about signals to give me context to give me control but those signals can also be really powerful to understand

something bad is happening hey I want to know about there's some security event happening I have to respond to so sure signals give me context that's a

really important thing but there's another thing we like to do and the thing we like to do is this idea of a

Sim and also a saw so a Sim is all about the idea of a security information and event manager I'm going to be able to detect some

security thing is happening and then a s is about the idea of security orchestration automation response do something about it great I

know it's happening do something so for a Simmon s solution when I think about Azure it's Azure

Sentinel now Azure Sentinel actually sits on top of a log analytics workspace so if I think about a Sim the first

thing I have to be able to do obviously is collect if I don't have the information coming in it's useless I have to be able to collect the information so it's all

about connectors now there are native connectors for log analytics workspace but this adds a huge number of additional ones so what the whole point

here is I'm getting feeds of security logs and information from from all over the place sure

Azure sure Azure ad sure Microsoft 365 um lots of thirdparty clouds and applications I can think about CIS logs

I'm getting information from those um CF I'm getting custom logs there's apis so there a just a massive number of connectors available for Azure Central

the more information I get coming in the more different types of signals I can correlate and come to a good conclusion and detect types of behavior so you want to get everything collected into this log Antics workspace some of the

connectors are lore some of them are Azure Sentinel specific once we have the collection well then I can

detect and there's different ways we can have that detection going on so I'm looking for threats based on that data collected now one of the things log analytics workspace does is sure it's a

place to ingest and store the data but it has this idea of kql the custo query language so one of the things the detection does is a whole set of

analytics it can run queries against it it could be a scheduled query a scheduled kql that's looking for a certain set of triggers but there's also things like machine learning based

algorithms looking for nomal is based on some baseline it's generated over a period of time there's Fusion this is a multi-stage advanced attack detection

again using machine learning then there's hunting so hunting is basically a set of kql queries that I can execute I'm looking for certain things

I'm looking for how many times something has occurred has this occurred something I may not want to automatically act on but it's something I want to go and be able to find if I want to I can think

about intelligence there's different types of threat intelligence this could be from Microsoft Microsoft has a whole set of cyber security teams it could be a feed

using tax T ax I I um from other external people and I'm going to map it against the logs maybe this information

is about a set of known bad IPS it's a certain predefined threat signal that I want to act on maybe I'm

using um this user and entity Behavior analytics based on things I'm seeing people doing hey that gives me some

signals and all of these signals might be there's an incident going on so when there's an incident then I want to

investigate now that investigation just do those there's different things I can do I have those incidents I might want to look at a timeline view I might look

at investigation graph I want to be able to track exactly what's happened to these different things from that

incident and then I want to respond there might be a manual response but also I have automation

and there's really two key types of automation we have here we have automation rules now think of these as very simple and easy to

leverage they are some kind of automatic response I want that I can Define through hey um some incident comes in against a certain entity or a certain

type I want to do this I want to email someone I want to raise the severity um I don't have to do much customization there's some trigger

there's some conditions and then some actions I want to take but it it's very predefined it's very simple to use I also have the option of using

playbooks now A playbook is actually using an Azure logic app and logic apps are this really powerful capability

that has all these again types of connectors things it can work with it's a nice flow-based visual representation of the things I'm going to do but I don't really have to have a great

programming background they're very nice um designer based ways to create sets of actions I want to perform now an automation rule

can call actually a Playbook if if I have that there but these are all about hey responses I want to do and with that Playbook like I say I could pretty much do anything I wanted to do at all I have

a whole set of capabilities so the whole point of azure Sentinel is I want to get all of the signals coming into it so then apply these detections to look for

incidents happening it helps me then investigate them automate the responses the whole Sim and saw part of the solution

so huge amounts of stuff there uh I get it but hopefully you saw it wasn't a massive amount of detail on any of them you really need to understand the

capabilities they bring where they fit in the picture but I don't have to have an expertise in how I would go and create a particular policy to do this I

just need to know hey okay uh I need to go and manage things in AWS for example well okay if I want to go and connect to AWS I need Defender for cloud to go and connect to the cloud for example that

can then help me onboard agents automatically and I would use Azure Arc to manage the actual workloads on it okay those things um how would I Define

some control oh Azure policy lets me do that on those Fabrics um understand where they fit in the different parts of the solutions and that's really what

you're looking for piecing the things together to meet some kind of requirement so it's very broad it's not super deep just have that good overall understanding of where different things

fit together take your time again mine was 2 hours I finished in 30 minutes I did rush I didn't pay that much attention to what I was doing but it should give you an indication they're not super long complicated questions um

there were questions where it was like Hey pick the solution which components would I use there were the questions where you can't go back it gives you a scenario does this meet it does this

meet it does this meet it there was the case studies the case studies were nice that really again I didn't read any of them but it would say hey to meet the business requirement to meet the

security requirement so you might just flip over to the security tab okay what is it looking for okay that I didn't even look at the tabs for some of them because really the answers there was

only one answer it was hey oh I should use a policy I don't want to use cheese or um Pizza there was ones that pretty much stood out as pretty obvious so take your time you have time but do pace

yourself don't let yourself get stuck on any particular question if you don't pass now again it's in beta you're not going to find out for a while but if you don't pass you can look at where you're

weak focus on that area and uh you'll get it the next time there is the Microsoft learning path but if you look at it it's really based on A500 I think

sc200 which again goes to show it's not like this is all new information you need for this it's just having a fairly broad knowledge of the all up um security set of solutions so if you've

done A500 already for example you're in a a pretty good place um for a lot of these things but I mean all of them will help to different degrees if you did the MS you probably going to be stronger on the endpoint things Defender for

endpoint it's just going to you're going to be strong on one area already so maybe focus on the other ones to bring that all up General broad knowledge uh as always a ton of work goes into

creating this so I would appreciate a like And subscribe but yeah just good luck don't panic do your best and uh I'll see you at another video soon I