Microsoft - AZ-801: Configuring Windows Server Hybrid Advanced Services
Sample Questions
Question: 175
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
You have 20 on-premises virtual machines that run Windows Server.
You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1.
You need to collect events from the on-premises virtual machines and forward the events to Workspace1. The solution must ensure that you can define filters to minimize the volume of collected events.
Which two components should you install on each virtual machine?
(Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.)| A | The Azure Connected Machine agent |
| B | The Azure VM Dependency agent extension for Windows |
| C | The Azure Monitor agent |
| D | The Log Analytics VM extension for Windows |
| E | The Dependency agent |
Correct answer: A, CExplanation:
The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.
Microsoft Sentinel uses an Azure Log Analytics workspace for data collection and storage. We have to install the Azure Monitor Agent (AMA) and configure the agent to report to the Log Analaytics workspace used by Microsoft Sentinel. Azure Monitor Agent uses data collection rule (DCR) where you can define filters to minimize the volume of collected events.
Note: Azure Monitor Agent (AMA) replaces the Log Analytics agent, also known as Microsoft Monitor Agent (MMA) and OMS, for Windows and Linux machines, in Azure and non-Azure environments, on-premises and other clouds. The agent introduces a simplified, flexible method of configuring data collection using Data Collection Rules (DCRs).
References:
Overview of Azure Connected Machine agent
Azure Monitor Agent overview
Question: 176
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
Your on-premises network is connected to Azure.
You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.
You need to identify the latency between the on-premises network and VM1.
Which Azure Network Watcher settings should you use?| A | IP flow verify |
| B | Connection monitor |
| C | VPN troubleshoot |
| D | Connection troubleshoot |
Correct answer: BExplanation:
Connection monitor provides unified and continuous network connectivity monitoring, enabling users to detect anomalies, identify the specific network component responsible for issues, and troubleshoot with actionable insights in Azure and hybrid cloud environments.
Connection monitor tests measure aggregated packet loss and network latency metrics across TCP, ICMP, and HTTP pings. A unified topology visualizes the end-to-end network path, highlighting network path hops with hop performance metrics. Connection monitor provides actionable insights and detailed logs to efficiently analyze and troubleshoot the root cause of an issue.
Reference: Connection monitor overview
Question: 177
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
Your network contains an Active Directory domain. The domain contains a domain controller named DC1 and a server named Server1 that runs Windows Server.
You need to enable event log subscriptions to forward events from DC1 to Server1.
Which command should you run to enable the Windows Event Collector service, and on which servers should you run the command?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Command: wecutil qc/q
Servers: DC1 only |
| B | Command: wecutil qc/q
Servers: Server1 only |
| C | Command: wevtutil el
Servers: DC1 and Server1 |
| D | Command: wevtutil el
Servers: DC1 only |
| E | Command: winrm qc
Servers: Server1 only |
| F | Command: winrm qc
Servers: DC1 and Server1 |
Correct answer: BExplanation:
You can subscribe to receive and store events on a local computer (event collector) that are forwarded from a remote computer (event source). The Windows Event Collector functions support subscribing to events by using the WS-Management protocol.
The Windows Event Collector service must be enabled on the computer designated to collect the events (Server1) from the remote computer (DC1).
The Windows Event Collector utility (wecutil.exe) enables you to create and manage subscriptions to events that are forwarded from remote computers.
Running wecutil with the qc (quick-config) parameter configures the Windows Event Collector service to ensure a subscription can be created and sustained through reboots. This includes the following steps:
- Enable the ForwardedEvents channel if it is disabled.
- Set the Windows Event Collector service to delay start.
- Start the Windows Event Collector service if it is not running.
References:
Windows Event Collector
wecutil
Question: 178
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
You have an on-premises server named Server1 that runs Windows Server.
You have an Azure subscription.
You create a Microsoft Sentinel workspace named Workspace1.
You need to ensure that Workspace1 can collect events from Server1 by using the Windows Security Events via AMA data connector.
You add Server1 to Azure Arc.
Which actions should you perform next in sequence?
(To answer, drag the appropriate actions to the correct order. Each action may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)
| A | Step 1: Open Workspace1 in Microsoft Sentinel.
Step 2: Add a new workbook.
Step 3: Create a new hunt. |
| B | Step 1: Open Workspace1 in Microsoft Sentinel.
Step 2: Install the Windows Security Events solution.
Step 3: Add a new threat intelligence indicator. |
| C | Step 1: Open Workspace1 in Microsoft Sentinel.
Step 2: From the Windows Security Events via AMA connector, create a data collection rule (DCR).
Step 3: Add a new workbook. |
| D | Step 1: Open Workspace1 in Microsoft Sentinel.
Step 2: Create a new hunt.
Step 3: Add a new workbook. |
| E | Step 1: Open Workspace1 in Microsoft Sentinel.
Step 2: Install the Windows Security Events solution.
Step 3: From the Windows Security Events via AMA connector, create a data collection rule (DCR). |
| F | Step 1: Open Workspace1 in Microsoft Sentinel.
Step 2: From the Windows Security Events via AMA connector, create a data collection rule (DCR).
Step 3: Create a new hunt. |
Correct answer: EExplanation:
The Windows Security Events solution for Microsoft Sentinel allows you to ingest Security events from your Windows machines using the Windows Agent into Microsoft Sentinel. This solution includes two (2) data connectors to help ingest the logs.
Windows Security Events via AMA - This data connector helps in ingesting Security Events logs into your Log Analytics Workspace using the new Azure Monitor Agent. Microsoft recommends using this Data Connector.
Security Events via Legacy Agent - This data connector helps in ingesting Security Events logs into your Log Analytics Workspace using the legacy Log Analytics agent.
A data collection rule (DCR) is required to select which events to stream. The data collection rule management from the Windows Security Events via AMA connector allows to choose from All Security Events, Common, Minimal, and Custom.
References:
Windows Security Events
Windows Security Events via AMA connector for Microsoft Sentinel
Question: 179
Measured Skill: Monitor and troubleshoot Windows Server environments (20-25%)
You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server and is located in the East US Azure region.
The subscription contains the storage accounts shown in the following table.
You plan to configure the Diagnostic settings for VM1.
Which storage accounts should you specify for the settings?| A | storage1 only |
| B | storage1 and storage2 only |
| C | storage1 and storage4 only |
| D | storage1, storage2, and storage3 only |
| E | storage1, storage2, storage3, and storage4 |
Correct answer: CExplanation:
Each Azure resource requires its own diagnostic setting, which defines the following criteria:
- Sources: The type of metric and log data to send to the destinations defined in the setting. The available types vary by resource type.
- Destinations: One or more destinations to send to.
A single diagnostic setting can define no more than one of each of the destinations. If you want to send data to more than one of a particular destination type (for example, two different Log Analytics workspaces), create multiple settings. Each resource can have up to five diagnostic settings.
If you choose a storage account as the destination, the storage account needs to be in the same region as the resource being monitored if the resource is regional.
References:
Diagnostic settings in Azure Monitor
Create diagnostic settings in Azure Monitor