Exam AZ-500 topic 4 question 61 discussion

Logs analytics agent and Sentinel data connector https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog

An Azure Log Analytics agent on a Linux virtual machine Sentinel Connector

NOTE: The CEF/Syslog collection method using a Linux VM as a forwarder is now considered a legacy approach. The current recommended method is to use Azure Arc-enabled servers with the Azure Monitor agent (AMA) for collecting CEF/Syslog logs from network appliances. Answer: Subscription1: An Azure Log Analytics agent on a Linux virtual machine Subscription2: A new Azure Sentinel data connector Reason: - Subscription1, we need a Linux VM with the Log Analytics agent to act as a CEF forwarder for the NVA's security events - Subscription2, which contains the Sentinel workspace, we need to configure a Sentinel data connector to receive the CEF logs Reference: https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder

Subscription 1: Set up Event Hub Namespace to collect CEF messages from the NVA. Subscription 2: Set up Azure Sentinel Data Connector to pull data from the Event Hub in Subscription 1. Event Hub Namespace: The Event Hub will collect the CEF messages from the NVA. Why?: You need an Event Hub to ingest CEF logs from the NVA in Subscription 1, as CEF messages are typically sent to a centralized event hub. Event Hub can handle high-throughput events and stream them for further processing. Azure Sentinel Data Connector: Sentinel provides a specific data connector for Event Hub logs that can pull logs from Event Hub into the Sentinel workspace. Why?: You need to connect Azure Sentinel to the Event Hub in Subscription 1 to collect the CEF logs. The Azure Sentinel Data Connector will enable this integration.

CEF= Linux VM Hence answer is An Azure Log Analytics agent on a Linux virtual machine Sentinel Connector Link: https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format

Logs analytics agent and Sentinel data connector https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog

YOU NEED AGENT ON THE NVA WHICH IS SENDING DATA IN CEF WHICH IS CLASSIC FOR LINUX AND THE DATA CONNECTOR ON THE SENTINEL SIDE WHICH IS NEEDED FOR IT TO CONNECT TO THE AGENT. EVERYTHING ELSE IS THERE TO THROW YOU OFF.

On an exam on 7/8/23, Log analytics agent sentinel connector

https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format Linux VM with LAA Azure Sentinel Workspace (LAW)

1. Azure Log Analytics agent 2. Azure Sentinel data connector https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-ama

An Azure Log Analytics agent on a Linux virtual machine A new Azure Sentinel Data Connector

In exam 11/02/2023. This is the correct answer.

I don't see a Linux VM in the resources, so not sure why that is an option for 1. And if you don't have that option, then you need workspace.

1st box: An Azure Log Analytics agent on a Linux virtual machine 2nd box: A new Azure Log Analytics workspace This is somewhat confusing but I believe the above answers are correct because the Azure LA agent can stream directly to Sentinel without need of a Sentinal connector. And, Sentinel needs a LA workspace to store its data into.

Log Analytics Agent & workspace

Answer provided is wrong Box 1 You need an Azure log analytics Agent Box 2 you need a data connector

https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format Box1: log analytics agent Box2: sentiner data connector