Exam AZ-500 topic 4 question 19 discussion

Azure Sentinel is built on top of a Log Analytics workspace(ref: https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants). Windows Firewall requires a Log Analytics Agent( or MMA) which again logs to a log analytic workspace. Although at first it it might appear that only VM1 and VM3 can be monitored by Sentinel, it is not correct. VM2 and VM4 can be monitored by Sentinel too by simply configuring the Log Analytics Agent to forward to Workspace1 in addition to Workspace2. If the machines were Linux VMs rather than Windows VMs this wouldn't be possible as multi-homing Linux VMs to multiple Log Analytics workspace is not supported( this limitation goes away with Azure Monitoring Agent( latest agent that will eventually replace Log Analytics Agent). HTH Answer - all 4 VMs.

Given answer is correct. It is true that VMs are connected to different workspaces, but you can always install the "Windows Firewall" data connector to those VMs from Azure Sentinel.

You should avoid sending duplicate data to multiple workspaces because of the extra charges, but you might have virtual machines connected to multiple workspaces. The most common scenario is an agent connected to separate workspaces for Azure Monitor and Microsoft Sentinel. Azure Monitor Agent and the Log Analytics agent for Windows can connect to multiple workspaces. The Log Analytics agent for Linux can only connect to a single workspace. If you use the Log Analytics agent for Linux: Migrate to Azure Monitor Agent or ensure that your Linux machines only require access to a single workspace.

C. VM1, VM2, VM3, and VM4

The answer is correct

I think the "can connect" is important. Even though the other VMs aren't connected to a workspace with/without Sentinel. Now if it's asking which machines "are connected" then it's a different story.

ALL.... C. VM1, VM2, VM3, and VM4

Answer is correct. The Log Analytics agent sends data to a Log Analytics workspace in Azure Monitor. The Windows agent can be multihomed to send data to multiple workspaces and System Center Operations Manager management groups.

I've tested the case. You can add only VM2 and VM4. Other VMs also could be added by disconnecting them from the existing workspace.

All VM's

The Windows Defender Firewall with Advanced Security connector allows Azure Sentinel to easily ingest Windows Defender Firewall with Advanced Security logs from any Windows machines in your workspace.

It does not matter where the VM is currently connected, you can deploy agents and have them connect to the Sentinel workspace at anytime. They are not suck in Workspace2 forever lol

For physical and virtual machines, you can install the Log Analytics agent that collects the logs and forwards them to Azure Sentinel. For Firewalls and proxies, Azure Sentinel installs the Log Analytics agent on a Linux Syslog server, from which the agent collects the log files and forwards them to Azure Sentinel. I think, you just need to install the log analytics agents on the VM's to send the data to Sentinel

Answer wrong. Should be VM2 and VM4. https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall The Windows Defender Firewall with Advanced Security connector allows Azure Sentinel to easily ingest Windows Defender Firewall with Advanced Security logs from any Windows machines in your workspace.

Is this question even correct? The linked doc says Prerequisites: You must have read and write permissions on the workspace to which the machines you wish to monitor are connected. If the machines are not connected to the workspace, then how will the Log Analytics agent send the data and Sentinel sits on top of Log Analytics Workspace.

I will also go with the given answer. You do not need a workspace to connect to Sentinel. So the mere fact the other VMs are not on workspace does not meas they cant be connected to Sentinel. You can connect VMS to Sentinel through data connectors by installing agents on the Windows virtual machine. https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall

This should be B, as Sentinel is only connected to Workspace1. For this to work we would either need to replace with Workspace1 on VM2 and VM4 or connect Sentinel to Workspace1. https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants