You are using Azure Defender and Azure Sentinel to protect your cloud workloads and monitor your environment.
You need to use the Kusto Query Language (KQL) to construct a query that identifies Azure Defender alerts.
What query should you write to meet this requirements? To answer, complete the query by selecting the correct options from the drop down menus.
_________________________
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B
You should complete the query as follows:
SecurityAlert
This completes a basic query to identify all security alerts in Azure Security Center.
Placing SecurityAlert first queries the SecurityAlert table, and then using | where ProductName =="Azure Security Center" afterwards ensures that in that SecurityAlert table you are only looking for entries where the ProductName column has a value of Azure Security Center.From here, you can expand.
For example, you could use KQL to specify time frames or specific devices to query.
Kusto Query Language (KQL) is the language you will use when building queries in Azure Sentinel.
Queries serve as a way to search through the massive amount of data Azure Sentinel has access to.
You should not begin the query with Azure Security Center.
The structure of a query requires that you first identify the key table you will be querying.
The SecurityAlert table includes the security alerts that are being digested by Azure Sentinel.
You should first query this table, then narrow the search to the alerts coming from the Azure Security Center product.
You should not begin the query with Azure Sentinel.
Again, the structure of a query requires that you first identify the key table you will be querying.
In this case, that would be the SecurityAlert table.
More importantly, while Azure Sentinel is the solution aggregating this data and performing the query, it should not be used as the ProductName.
This should be specified as the Azure Security Center.
You should not end the query with Azure Sentinel.
As mentioned in the paragraph above, the ProductName (solution source) for the SecurityAlert (alerts) table you should query is Azure Security Center.
The query would be run in Azure Sentinel, but do not confuse the solution being queried with the one running the query.
You should not end the query with SecurityAlert.
Here you need to name the solution you want to query.
In this case, that is Azure Security Center.
SecurityAlert would not be a valid ProductName.
Reference:
The correct answer to this question is "A. Azure Security Center".
Azure Defender (previously known as Azure Security Center) is a cloud security posture management service that provides unified security management and advanced threat protection for hybrid cloud workloads. Azure Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics across your entire enterprise.
To identify Azure Defender alerts using Kusto Query Language (KQL), we need to use the SecurityAlert table in the Azure Defender data model. This table contains information about all the security alerts generated by Azure Defender.
The KQL query to identify Azure Defender alerts would look something like this:
bashSecurityAlert | where ProviderName == "Azure Defender" The above query will filter out all the security alerts generated by Azure Defender by using the "where" operator to filter the ProviderName column for the value "Azure Defender". This will return all the alerts generated by Azure Defender.
Option A. Azure Security Center is the correct option, as it represents the actual name of the service. Option B. Security Alert is a generic term for any alert generated by a security system, so it does not provide any specific information about Azure Defender alerts. Option C. Azure Security Sentinel is the incorrect option, as it represents a different service altogether. Option D. Security Events is a generic term for any security-related event, so it does not provide any specific information about Azure Defender alerts.