Exam SC-200 topic 2 question 34 discussion

Seems like the answer is actually correct. "Azure Storage Analytics performs logging and provides metrics data for a storage account. You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account."

On exam - 19 June 2023

B - To identify which blobs were deleted from a storage account like storage1, you need to review Azure Storage Analytics logs, specifically the Blob service logs. These logs provide detailed information about: REST API operations (e.g., DeleteBlob) Request timestamps Caller IP addresses Authentication types Target blob URIs This is the only logging mechanism that captures per-blob operations, including deletes, which is what you need in this scenario. D is not correct because although, it might show the user or IP address involved, it does not show the specific blobs affected.

Co-pilot states: To identify which blobs were deleted in the storage account named storage1 after receiving an alert about an unusually high volume of delete operations, you should review: B. the Azure Storage Analytics logs These logs provide detailed information about the operations performed on the storage account, including which blobs were deleted.

There are multiple correct answers, but the one that will make your life easiest is D - looking into the related entities of the alert (whatever those entities might be, in this case, some blobs)

Why not the other options? A. The activity logs of storage1: Activity logs in Azure provide information about management operations (e.g., changes to storage account configurations) but do not include detailed data about data plane operations like blob deletions. C. The alert details: The alert details provide metadata about the unusual activity, such as the time of the anomaly and the scope of the operations, but they do not list individual blobs or the specific details of what was deleted. D. The related entities of the alert: The "related entities" feature helps identify resources, users, or IPs connected to the alert but does not provide details about the deleted blobs themselves.

Activity logs offer a more precise and reliable way to identify the deleted blobs because they capture detailed information about each operation performed on the storage account. By analyzing these logs, you can pinpoint the exact blobs that were deleted, the time of deletion, and potentially the user or process responsible.

D) "Related entities" of the alert Question is saying you need to identify the blob involved in the alert you just received. Each alert in Defender for Cloud has a "Related entities" section. 'Entities' can be users, IP addresses, Resource ID, Hostname, File, Process. In this case, the Related entities section will have the resource ID of the blob related to the alert

The answer is D.

The answer is D. Related entities will have the details of the blobs that were deleted. The alert details does not give the name of the blobs, but will only list the "Operations" that was performed. In this scenario, the operation name is "Storage.Blob_DeletionAnomaly". (Ref: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-azure-storage#unusual-deletion-in-a-storage-account) The question expects you to use the tool "Microsoft Defender for Cloud", so try to stick with the options/features provided by the tool & not the complete Azure platform.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

Under the alert details there is a related entities field which will tell you to which resources are related to the alert. I would definitely start here before I dove blindly into the logs. https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

The answer is D. When you open an Alert(Delete operations on the blobs in storage 1) When you open the alert by clicking "View full details", it shows you the Alert details tab. If you scroll down, you will find the "Related entities" section. It shows Azure Resource (Resource ID, Subscription ID), Blob container (Name, Storage resource) etc.. It doesn't make sense the alert doesn't provide blob container name.

To identify deleted blobs in Azure Blob Storage, you can enable Storage Analytical logs. These logs contain details of each and every operation, including the ones that delete blobs.

Correct

D - Related Entities https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

The activity logs of storage1 and the Azure Storage Analytics logs are not sufficient to identify the deleted blobs, as they only provide general information about the operations performed on the storage account. The alert details provide more specific and contextual information about the activity and the related entities