You have an Azure subscription that contains 100 virtual machines and has Azure Security Center Standard tier enabled.
You plan to perform a vulnerability scan of each virtual machine.
You need to deploy the vulnerability scanner extension to the virtual machines by using an Azure Resource Manager template.
Which two values should you specify in the code to automate the deployment of the extension to the virtual machines? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.AC
To deploy the vulnerability scanner extension to the virtual machines using an Azure Resource Manager template, you need to specify the following two values in the code:
B. The Workspace ID: This value represents the Azure Log Analytics workspace that Security Center uses to store security-related data. When you enable Security Center, a Log Analytics workspace is created automatically in your subscription. You can obtain the Workspace ID from the Log Analytics workspace overview page in the Azure portal. The Workspace ID should be specified in the extension code to ensure that the vulnerability scan data is sent to the correct workspace.
E. The System-assigned Managed Identity: This value represents an automatically generated identity in Azure AD that is associated with the virtual machine. By using this identity, you can grant the virtual machine access to Azure resources without requiring credentials to be stored in the virtual machine. To enable the system-assigned managed identity for a virtual machine, you need to specify the identity in the ARM template code.
Here is an example ARM template code that can be used to deploy the vulnerability scanner extension to the virtual machines:
json{ "type": "Microsoft.Compute/virtualMachines/extensions", "name": "VulnerabilityScanner", "apiVersion": "2019-03-01", "location": "[resourceGroup().location]", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { "publisher": "Microsoft.Azure.Security", "type": "IaaSVulnerabilityAssessment", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "workspaceId": "[parameters('workspaceId')]", "vmResourceId": "[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]" }, "protectedSettings": { "managedIdentity": { "type": "SystemAssigned" } } } } In the above code, the Workspace ID is specified in the settings section, and the system-assigned managed identity is specified in the protectedSettings section.
Note that before deploying the extension to the virtual machines, you need to ensure that the virtual machines are running and that the Azure Security Center Standard tier is enabled in your subscription. Also, you should make sure that the Log Analytics workspace has sufficient capacity to store the scan data generated by the extension.