Knowledge check

1.

A security engineer needs to deploy the required encryption configuration to 400 storage accounts that Defender for Cloud flagged as noncompliant. The same configuration change is needed on every resource. What is the most efficient approach?

Create a governance rule to assign the storage team as owner of the recommendation with a 30-day deadline.

Use the Fix action on the recommendation to automatically deploy the required configuration to all selected noncompliant resources at once.

Export the recommendation list to CSV and update each storage account through the Azure portal.

Create a new Azure Policy definition with an Audit effect to report the noncompliant storage accounts.

2.

Contoso's security team creates a custom security standard in Defender for Cloud to enforce internal security policies. What technology does Defender for Cloud use as the foundation for custom security standards?

Microsoft Sentinel analytics rules

Azure Policy initiatives

Microsoft Secure Score control categories

Defender for Cloud workflow automation rules

3.

A Defender for Cloud recommendation flags a resource as noncompliant, but the security team confirmed that an alternative compensating control addresses the same risk. The resource should continue to be tracked but excluded from compliance calculations. Which exemption category is appropriate?

Waiver—the risk identified by the recommendation has been accepted by the organization.

Mitigated—an alternative control addresses the same risk that the recommendation targets.

In grace period resource, need more time to implement the required control.

Risk accepted—the recommendation severity is too low to justify the remediation effort.

Check your knowledge

Feedback