SC-200 Free Practice Test

- (Topic 4)
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema. You need to make the 200 parsers available in Workspace1. The solution must minimize administrative effort. What should you do first?

1. A. Copy the parsers to the Azure Monitor Logs page.
2. B. Create a JSON file based on the DNS template.
3. C. Create an XML file based on the DNS template.
4. D. Create a YAML file based on the DNS template.

Correct Answer: A

HOTSPOT - (Topic 4)
You have a custom detection rule that includes the following KQL query.

For each of the following statements, select Yes if True. Otherwise select No. NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Topic 3)
You need to configure event monitoring for Server1. The solution must meet the Microsoft Sentinel requirements. What should you create first?

1. A. a Microsoft Sentinel automation rule
2. B. a Microsoft Sentinel scheduled query rule
3. C. a Data Collection Rule (DCR)
4. D. an Azure Event Grid topic

Correct Answer: C

- (Topic 4)
You have a Microsoft Sentinel workspace named Workspace1.
You need to exclude a built-in, source-specific Advanced Security information Model
(ASIM) parse from a built-in unified ASIM parser. What should you create in Workspace1?

1. A. a watch list
2. B. an analytic rule
3. C. a hunting query
4. D. a workbook

Correct Answer: A

HOTSPOT - (Topic 4)
You need to create a query for a workbook. The query must meet the following requirements:
✑ List all incidents by incident number.
✑ Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Solution:


Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A