[Microsoft] SC-100 - Cybersecurity Architect Expert Exam Dumps & Study Guide
The Microsoft Cybersecurity Architect (SC-100) is the premier certification for security professionals who want to demonstrate their expertise in designing and managing robust, enterprise-grade security architectures using Microsoft's security solutions. As organizations face increasingly frequent and complex cyber threats, the ability to design scalable, secure, and resilient architectures has become a highly sought-after skill. The SC-100 validates your expert-level knowledge of Microsoft's security, compliance, and identity solutions. It is an essential milestone for any professional looking to lead at the highest levels of cybersecurity strategy and architecture.
Overview of the Exam
The SC-100 exam is a rigorous assessment that covers the design and implementation of security solutions using Microsoft's security portfolio. It is a 120-minute exam consisting of approximately 40-60 questions. The exam is designed to test your knowledge of security architecture principles and your ability to apply them to real-world scenarios. From analyzing security requirements and designing identity and access management solutions to ensuring data protection, application security, and incident response, the SC-100 ensures that you have the skills necessary to build modern, secure enterprise environments. Achieving the SC-100 certification proves that you are a highly skilled professional who can handle the technical demands of cybersecurity architecture.
Target Audience
The SC-100 is intended for senior security professionals who have a deep understanding of Microsoft's security solutions and enterprise architecture. It is ideal for individuals in roles such as:
1. Cybersecurity Architects
2. Security Engineers
3. Solutions Architects
4. Chief Information Security Officers (CISOs)
5. IT Managers and Directors
To qualify for the Microsoft Certified: Cybersecurity Architect Expert certification, candidates must have already achieved at least one of the Microsoft security-related associate-level certifications and pass the SC-100 exam.
Key Topics Covered
The SC-100 exam is organized into several main domains:
1. Design a Zero Trust Strategy and Architecture (20-25%): Designing and implementing Zero Trust principles across the organization.
2. Evaluate Governance Risk Compliance (GRC) Technical Strategies and Security Operations Strategies (20-25%): Designing strategies for security governance, risk management, and security operations.
3. Design Security for Infrastructure (20-25%): Designing secure network, compute, and storage infrastructures.
4. Design a Strategy for Data and Applications (20-25%): Designing secure data protection and application security solutions.
Benefits of Getting Certified
Earning the SC-100 certification provides several significant benefits. First, it offers industry recognition of your elite expertise in Microsoft's security technologies. As a leader in the security industry, Microsoft skills are in high demand across the globe. Second, it can lead to high-level career opportunities and significantly higher salary potential in a variety of senior roles. Third, it demonstrates your commitment to professional excellence and your dedication to staying current with the latest cybersecurity architectural practices. By holding this certification, you join a global community of Microsoft professionals and gain access to exclusive resources and continuing education opportunities.
Why Choose NotJustExam.com for Your SC-100 Prep?
The SC-100 exam is challenging and requires a deep understanding of Microsoft's complex security features and architectural principles. NotJustExam.com is the best resource to help you master this material. Our platform offers an extensive bank of practice questions that are designed to mirror the actual exam’s format and difficulty.
What makes NotJustExam.com stand out is our focus on interactive logic and the accuracy of our explanations. We don’t just provide a list of questions; we provide a high-quality learning experience. Every question in our bank includes an in-depth, accurate explanation that helps you understand the architectural reasoning behind the correct solution. This ensures that you are truly learning the material and building the confidence needed to succeed on the exam. Our content is regularly updated by subject matter experts to reflect the latest Microsoft security features and architectural trends. With NotJustExam.com, you can approach your SC-100 exam with the assurance that comes from thorough, high-quality preparation. Start your journey toward becoming a Certified Cybersecurity Architect today with us!
Free [Microsoft] SC-100 - Cybersecurity Architect Expert Practice Questions Preview
-
Question 1
Your company has a Microsoft 365 ES subscription.
The Chief Compliance Officer plans to enhance privacy management in the working environment.
You need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:
✑ Identify unused personal data and empower users to make smart data handling decisions.
✑ Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.
✑ Provide users with recommendations to mitigate privacy risks.
What should you include in the recommendation?
- A. communication compliance in insider risk management
- B. Microsoft Viva Insights
- C. Privacy Risk Management in Microsoft Priva
- D. Advanced eDiscovery
Correct Answer:
C
Explanation:
I agree with the suggested answer C, which is Privacy Risk Management in Microsoft Priva.
Reasoning: The question explicitly asks for a solution to enhance privacy management with specific requirements like identifying unused personal data, providing guidance in Teams, and offering recommendations to mitigate privacy risks. Microsoft Priva's Privacy Risk Management directly addresses these requirements. It's designed to identify privacy risks in your Microsoft 365 environment, empower users to make smart data handling decisions, and provide recommendations for mitigation.
Why other options are not suitable:
- A. Communication compliance in insider risk management: While communication compliance is part of insider risk management and can help detect inappropriate communications, it doesn't directly address the specific privacy management requirements outlined in the question, such as identifying unused personal data or providing targeted guidance to users.
- B. Microsoft Viva Insights: Viva Insights focuses on providing insights into work patterns and wellbeing. While it touches upon productivity and collaboration, it doesn't have the specific privacy risk management features required by the scenario.
- D. Advanced eDiscovery: Advanced eDiscovery is primarily for identifying and collecting data for legal investigations. It doesn't proactively manage privacy risks or provide user guidance as requested in the question.
Citations
- Microsoft Priva, https://learn.microsoft.com/en-us/privacy/priva/
-
Question 2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
Suspicious authentication activity alerts have been appearing in the Workload protections dashboard.
You need to recommend a solution to evaluate and remediate the alerts by using workflow automation. The solution must minimize development effort.
What should you include in the recommendation?
- A. Azure Monitor webhooks
- B. Azure Event Hubs
- C. Azure Functions apps
- D. Azure Logics Apps
Correct Answer:
D
Explanation:
I agree with the suggested answer (D).
The best solution is to use Azure Logic Apps for workflow automation to evaluate and remediate the suspicious authentication activity alerts.
Reasoning:
- Azure Logic Apps are designed for automating workflows and integrating different services without writing code. They provide a visual designer and pre-built connectors to various services, including Microsoft Defender for Cloud.
- Microsoft Defender for Cloud integrates with Azure Logic Apps to automate responses to security alerts and recommendations. You can create logic apps that trigger actions based on specific alerts, such as sending notifications, isolating affected resources, or initiating remediation steps.
- The question emphasizes minimizing development effort, and Logic Apps' no-code/low-code approach is the most efficient way to achieve this.
Reasons for not choosing other options:
- A. Azure Monitor webhooks: Webhooks can trigger actions, but they require more custom development to handle the alert data and integrate with other services. They aren't as streamlined for workflow automation as Logic Apps.
- B. Azure Event Hubs: Event Hubs are used for ingesting and processing large streams of data. While they can be used to capture security alerts, they don't provide built-in workflow automation capabilities.
- C. Azure Functions apps: Azure Functions allow you to run code in response to events. Like webhooks, they require more development effort to implement workflow automation compared to Logic Apps.
Citations:
- Workflow automation in Microsoft Defender for Cloud, https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation
-
Question 3
Your company is moving a big data solution to Azure.
The company plans to use the following storage workloads:
✑ Azure Storage blob containers
✑ Azure Data Lake Storage Gen2
Azure Storage file shares -
✑ Azure Disk Storage
Which two storage workloads support authentication by using Azure Active Directory (Azure AD)? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- A. Azure Storage file shares
- B. Azure Disk Storage
- C. Azure Storage blob containers
- D. Azure Data Lake Storage Gen2
Correct Answer:
CD
Explanation:
Based on the question and the discussion, the recommended answer is C and D (Azure Storage blob containers and Azure Data Lake Storage Gen2).
Reasoning:
Both Azure Storage blob containers and Azure Data Lake Storage Gen2 natively support authentication and authorization using Azure Active Directory (Azure AD). This allows you to manage access to these storage resources using Azure AD identities and role-based access control (RBAC).
Azure AD authentication provides a centralized and secure way to manage access to your storage resources, simplifying security management and improving compliance.
Why other options are not the primary choices:
While Azure Files also supports Azure AD authentication, it typically relies on Azure AD Domain Services (Azure AD DS) or Kerberos authentication via Azure AD. Azure Disk Storage does not natively support Azure AD authentication in the same way as blob containers and Data Lake Storage Gen2. Authentication for VMs using Azure Disk Storage is usually managed at the VM level, not directly at the disk storage level via Azure AD.
The question asks for storage workloads that directly support authentication using Azure AD, which makes Azure Storage blob containers and Azure Data Lake Storage Gen2 the most accurate choices.
- Suggested Answer: CD
- I agree with the suggested answer.
- Reason for Choosing CD: Both Azure Storage blob containers and Azure Data Lake Storage Gen2 directly support Azure AD authentication and RBAC, providing centralized and secure access management.
- Reason for Not Choosing A (Azure Storage file shares): While Azure Files supports Azure AD authentication, it often involves Azure AD Domain Services or Kerberos, making it a less direct method compared to blob containers and Data Lake Storage Gen2.
- Reason for Not Choosing B (Azure Disk Storage): Azure Disk Storage does not natively support Azure AD authentication; VM-level authentication manages access.
Citations:
- Azure Storage authentication overview, https://learn.microsoft.com/en-us/azure/storage/common/storage-auth
- Use Azure Active Directory to authorize access to blobs and queues, https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad
- Overview of Azure Files identity-based authentication options, https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
-
Question 4
HOTSPOT -
Your company is migrating data to Azure. The data contains Personally Identifiable Information (PII).
The company plans to use Microsoft Information Protection for the PII data store in Azure.
You need to recommend a solution to discover PII data at risk in the Azure resources.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer. The question asks for a solution to discover PII data at risk in Azure resources. Here's a breakdown of why the chosen options are correct and why the others are less suitable:
To connect the Azure data sources to Microsoft Information Protection:
- Azure Purview: Reasoning: Azure Purview (now Microsoft Purview) is a data governance service that excels at discovering, classifying, and mapping data across an organization's data estate, including Azure resources. It automatically identifies sensitive data like PII.
Reasoning against other answers: While Defender for Cloud Apps can provide shadow IT discovery and app governance, its primary focus isn't on deep data discovery and classification within Azure data sources in the way Purview is.
- Microsoft Defender for Cloud Apps: Reasoning: It helps discover and manage shadow IT and unsanctioned apps. While it can integrate with other security tools, it is not the primary tool for discovering and classifying PII within Azure data sources.
To triage security alerts related to resources that contain PII data:
- Azure Monitor: Reasoning: Azure Monitor collects telemetry data, including logs and metrics, which can be used to detect and alert on security incidents. However, it doesn't inherently understand the sensitivity of the data involved. Its value is enhanced when combined with information about PII from other sources (like Purview and Defender for Cloud).
Reasoning against other answers: Azure Monitor is for monitoring and alerting, not for initial PII discovery and risk assessment, and is not the best choice for prioritizing based on sensitive data context without integration.
- Microsoft Defender for Cloud: Reasoning: Defender for Cloud provides threat protection and security posture management for Azure resources. The integration of Microsoft Purview expands visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data. Classifications and labels applied to data resources in Microsoft Purview are ingested into Microsoft Defender for Cloud, which provides valuable context for protecting resources. Microsoft Defender for Cloud uses the resource classifications and labels to identify potential attack paths and security risks related to sensitive data.
In summary, Microsoft Purview discovers and classifies the PII, and Microsoft Defender for Cloud uses that information to prioritize security alerts and risks. Azure Monitor provides telemetry data but requires PII context from other tools to triage alerts effectively, and Defender for Cloud Apps is not for PII discovery within Azure data stores.
- Suggested Answer: The combination of Purview and Defender for Cloud is the most comprehensive approach to discovering PII and managing associated security risks, aligning well with the question's requirements.
- Updated Information: Azure Purview has been renamed to Microsoft Purview.
Citations:
- Microsoft Purview, https://learn.microsoft.com/en-us/purview/
- Microsoft Defender for Cloud, https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction
-
Question 5
You have a Microsoft 365 E5 subscription and an Azure subscription.
You are designing a Microsoft deployment.
You need to recommend a solution for the security operations team. The solution must include custom views and a dashboard for analyzing security events.
What should you recommend using in Microsoft Sentinel?
- A. notebooks
- B. playbooks
- C. workbooks
- D. threat intelligence
Correct Answer:
C
Explanation:
I agree with the suggested answer.
The recommended solution for the security operations team to include custom views and a dashboard for analyzing security events in Microsoft Sentinel is to use workbooks.
Reasoning: Workbooks in Microsoft Sentinel provide a flexible and powerful way to create custom dashboards and visualizations for security data. They allow security teams to analyze data, create rich visual reports, and gain insights into security events. Workbooks are built on Azure Monitor Workbooks, providing a wide range of visualization options and the ability to query and analyze data from various sources.
Why other options are not suitable:
-
Notebooks: While notebooks are useful for interactive data exploration and analysis using languages like Python, they are not primarily designed for creating persistent dashboards and custom views for a security operations team. They are more suited for ad-hoc investigations and data science tasks.
-
Playbooks: Playbooks are used for security automation and orchestration, enabling automated responses to security incidents. They do not provide the visualization and dashboarding capabilities required in this scenario.
-
Threat Intelligence: Threat intelligence focuses on gathering, analyzing, and disseminating information about potential threats. While it's a crucial aspect of security operations, it doesn't directly address the need for custom views and dashboards for analyzing security events.
Workbooks are directly integrated within the Azure portal and provide the necessary functionalities for building custom dashboards and visualizations for analyzing security events, which aligns perfectly with the requirements stated in the question.
Suggested Answer: C
Citations:
- Azure Monitor Workbooks Overview, https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview
-
Question 6
Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity.
You are informed about incidents that relate to compromised identities.
You need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered.
Which Defender for Identity feature should you include in the recommendation?
- A. sensitivity labels
- B. custom user tags
- C. standalone sensors
- D. honeytoken entity tags
Correct Answer:
D
Explanation:
I agree with the suggested answer.
The correct answer is D. honeytoken entity tags.
Reason: Honeytoken entity tags in Microsoft Defender for Identity are specifically designed to act as traps for attackers. By tagging certain accounts as honeytokens, any attempt to access or exploit these accounts will trigger an alert, indicating suspicious or malicious activity. This allows security teams to quickly identify and respond to potential breaches. The question specifically asks for a solution to expose accounts for attackers to exploit and trigger an alert when they do so, which is exactly what honeytokens are designed for.
Reason for not choosing other options:
-
A. Sensitivity labels: These are used to classify and protect data, not to trap attackers.
-
B. Custom user tags: While useful for organization and filtering, they do not inherently trigger alerts upon access attempts.
-
C. Standalone sensors: These collect data but don't directly create traps like honeytokens. They are more about monitoring and data collection.
Citations:
- Microsoft Defender for Identity documentation, https://learn.microsoft.com/en-us/defender-for-identity/
-
Question 7
Your company is moving all on-premises workloads to Azure and Microsoft 365.
You need to design a security orchestration, automation, and response (SOAR) strategy in Microsoft Sentinel that meets the following requirements:
✑ Minimizes manual intervention by security operation analysts
✑ Supports triaging alerts within Microsoft Teams channels
What should you include in the strategy?
- A. KQL
- B. playbooks
- C. data connectors
- D. workbooks
Correct Answer:
B
Explanation:
I agree with the suggested answer. The best approach to designing a SOAR strategy in Microsoft Sentinel that minimizes manual intervention and supports triaging alerts within Microsoft Teams channels is to use playbooks. Here's why:
Reasoning:
- Playbooks Directly Address SOAR Requirements: Playbooks in Microsoft Sentinel are designed to automate responses to security alerts and incidents. This automation directly minimizes the need for manual intervention by security operations analysts.
- Integration with Microsoft Teams: Playbooks can be configured to send notifications and alerts to Microsoft Teams channels, facilitating alert triaging and collaboration among security teams.
- Automation Capabilities: Playbooks enable the execution of pre-defined actions in response to specific alerts, such as isolating compromised machines, blocking malicious users, or escalating incidents to appropriate personnel.
Why other options are not as suitable:
- KQL (Kusto Query Language): While KQL is essential for querying and analyzing data within Sentinel, it does not provide the automation and response capabilities needed for SOAR. KQL is primarily used for threat hunting and creating custom detection rules, not for automated incident response.
- Data Connectors: Data connectors are used to ingest data from various sources into Sentinel. While they are crucial for providing the raw data needed for analysis, they do not directly address the requirements of automating responses or triaging alerts.
- Workbooks: Workbooks provide interactive dashboards and visualizations for monitoring security data and trends. They are useful for gaining insights into security posture but do not automate incident response processes.
Therefore, playbooks are the most appropriate choice for meeting the specified requirements of minimizing manual intervention and supporting alert triaging within Microsoft Teams.
Citations:
- Microsoft Sentinel Playbooks, https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules
- Automate security tasks in Microsoft Sentinel playbooks, https://learn.microsoft.com/en-us/azure/logic-apps/connectors/connector-azure-sentinel
-
Question 8
You have an Azure subscription that contains virtual machines, storage accounts, and Azure SQL databases.
All resources are backed up multiple times a day by using Azure Backup.
You are developing a strategy to protect against ransomware attacks.
You need to recommend which controls must be enabled to ensure that Azure Backup can be used to restore the resources in the event of a successful ransomware attack.
Which two controls should you include in the recommendation? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
- A. Enable soft delete for backups.
- B. Require PINs for critical operations.
- C. Encrypt backups by using customer-managed keys (CMKs).
- D. Perform offline backups to Azure Data Box.
- E. Use Azure Monitor notifications when backup configurations change.
Correct Answer:
AB
Explanation:
I agree with the suggested answer of AB. Here's a detailed reasoning:
A. Enable soft delete for backups: This is a crucial control. Soft delete ensures that even if a ransomware attack compromises the system and attempts to delete backups, they are retained for a specified period (e.g., 14 days). This provides a window of opportunity to recover the data. Without soft delete, a ransomware attack could permanently delete backups, rendering them useless for recovery.
B. Require PINs for critical operations: This adds an extra layer of authentication for critical operations like deleting backups or modifying backup policies. Ransomware often operates by gaining control of existing accounts. Requiring a PIN, especially one that is not stored on the compromised system, makes it much harder for an attacker to tamper with backups. This helps prevent the ransomware from disabling or deleting the backups.
Why not C? While encrypting backups with customer-managed keys (CMKs) is a good security practice, it doesn't directly protect against ransomware *deleting* the backups. If the ransomware gains control of the system, it could potentially also access the CMK and use it to render the backups useless or delete them. Encryption alone doesn't prevent deletion. Although it is a good practice for security, it is not among the key controls which must be enabled to ensure that Azure Backup can be used to restore the resources in the event of a successful ransomware attack.
Why not D? Performing offline backups to Azure Data Box can be a good strategy for long-term archival and protection against certain types of attacks, but it's not the most immediate or practical solution for ransomware. Restoring from Azure Data Box is a relatively slow process compared to restoring from online Azure Backup storage. For rapid recovery after a ransomware attack, online backups with soft delete are more effective. Also, it would be too costly to backup multiple times a day by using Azure Data Box.
Why not E? While Azure Monitor notifications for backup configuration changes are useful for detecting unauthorized modifications, they don't directly prevent ransomware from deleting backups. They provide an alert, but don't offer a preventative control like soft delete or PIN protection.
- Suggested Answer: AB
- Reasoning: A and B directly address the need to protect backups from deletion or modification by ransomware.
- Why not C: Encryption alone does not prevent deletion.
- Why not D: Azure Data Box is better suited for archival, but it's not the most efficient option for rapid recovery after a ransomware attack. Also, it would be too costly to backup multiple times a day by using Azure Data Box.
- Why not E: Azure Monitor notifications are useful for detecting unauthorized modifications but don't prevent deletion.
-
Question 9
HOTSPOT -
You are creating the security recommendations for an Azure App Service web app named App1. App1 has the following specifications:
✑ Users will request access to App1 through the My Apps portal. A human resources manager will approve the requests.
✑ Users will authenticate by using Azure Active Directory (Azure AD) user accounts.
You need to recommend an access security architecture for App1.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
See interactive view.
Explanation:
Based on the information provided and the discussion summary, I agree with the suggested answer, which corresponds to using an Azure AD application and an Access Package in Identity Governance.
Reasoning: The scenario requires Azure AD authentication for App1 and a method for users to request access through the My Apps portal.
- Azure AD Application: This is necessary to register App1 with Azure AD, enabling authentication and authorization capabilities. It establishes a trust relationship between the application and Azure AD, allowing users to sign in with their Azure AD credentials.
- Access Package in Identity Governance: Access packages are a key component of Azure AD Identity Governance. They allow you to bundle together the resources a user needs access to and define who can request access, how approval works, and how long access is granted. The requirement that "Users will request access to App1 through the My Apps portal" strongly suggests the use of access packages, as they are designed for self-service access requests.
Why other options are less suitable: While other Azure AD features might play a role in securing App1, they don't directly address the need for self-service access requests in the same way that access packages do. Other configurations are depend on the specific network architecture and policy enforcements that may not directly relates to this question.
Therefore, configuring an Azure AD application and utilizing access packages in Identity Governance is the most appropriate solution to meet the stated requirements.
Citations:
- What is Azure AD Identity Governance?, https://learn.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview
- What are access packages?, https://learn.microsoft.com/en-us/azure/active-directory/governance/access-package-start
-
Question 10
HOTSPOT -
Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.
The company is designing an application that will have the architecture shown in the following exhibit.

You are designing a logging and auditing solution for the proposed architecture. The solution must meet the following requirements:
✑ Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.
✑ Use Defender for Cloud to review alerts from the virtual machines.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer, but with a slight modification to Box 2, recommending the Azure Monitor Agent as the primary solution and noting the Log Analytics agent as a legacy option, or a secondary/alternative solution.
Reasoning for Box 1 (Data Connectors): The question explicitly requires integrating Azure Web Application Firewall (WAF) logs with Microsoft Sentinel. Data connectors are the designated mechanism for connecting various data sources, including Azure WAF, to Microsoft Sentinel, this aligns with Microsoft's documentation and best practices for SIEM integration.
Reasoning for Box 2 (Azure Monitor Agent): While the Log Analytics agent has historically been used, the Azure Monitor Agent is the recommended, updated solution for collecting data from virtual machines and integrating with services like Microsoft Defender for Cloud. The Azure Monitor Agent offers several advantages, including better performance, centralized management, and enhanced security. While the Log Analytics Agent would technically fulfill the requirement, choosing the Azure Monitor Agent aligns with current best practices and the future direction of Azure monitoring. This also aligns with the discussion content that the Log Analytics Agent is being deprecated and Azure Monitor Agent is a suggested alternative.
Reasons for not choosing other options:
- Azure Diagnostics extension: This extension is primarily for application-level diagnostics and doesn't directly integrate with Microsoft Defender for Cloud or Microsoft Sentinel for security alerts in the same manner as the recommended agents.
- Microsoft Defender for Cloud Apps connector: This connector is designed for integrating with Cloud Apps, not virtual machines or WAF logs.
Therefore, the best solution involves using
Data Connectors for WAF logs in Sentinel and the
Azure Monitor Agent for VM alerts within Defender for Cloud.
Suggested Answer:
Box 1:
Data connectors
Box 2:
Azure Monitor Agent
Citations:
- Connect Azure Web Application Firewall (WAF) logs to Microsoft Sentinel, https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-web-application-firewall
- Overview of the Azure Monitor Agent, https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview