Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 3 question 65 discussion

Actual exam question from Microsoft's SC-200

Question #: 65
Topic #: 3

HOTSPOT
-

You have a Microsoft Sentinel workspace named Workspace1.

You configure Workspace1 to collect DNS events and deploy the Advanced Security Information Model (ASIM) unifying parser for the DNS schema.

You need to query the ASIM DNS schema to list all the DNS events from the last 24 hours that have a response code of ‘NXDOMAIN’ and were aggregated by the source IP address in 15-minute intervals. The solution must maximize query performance.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer

Suggested Answer:

by Albonzi at Feb. 26, 2023, 6:09 p.m.

Comments

Submit Cancel

ultraRunningCA

Highly Voted 1 year, 8 months ago

First box is correct, second option should be (and correct me if I'm wrong) (starttime=ago(1d), responsecodename='NXDOMAIN') Question states: 'from the last 24 hrs' and 'The solution must maximize query performance' Both the second and third option in the second box give 'TimeGenerate>ago(1d)', for me that reads as events generated greater than the last 24 hours - not what we're looking for. so the query is: _Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m) using the link Albonzi gives https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#optimizing-parsing-using-parameters Every schema that supports filtering parameters supports at least the starttime and endtime parameters and using them is often critical for optimizing performance

upvoted 14 times

7c0a

1 year, 5 months ago

upvoted only because of the filtering parameters - improves performance

upvoted 3 times

...

789sv

1 year, 6 months ago

The link in reference to this is https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#unifying-parsers

upvoted 5 times

...

dalancoburn

1 year, 6 months ago

You are thinking about this wrong. A time that is greater than 9am is 10am, so all times that are greater than 1 day ago (e.g. 9am yesterday) would cover 9am yesterday to 9am today (the current time). So second option would be correct for the second box as filtering by the time first is far less costly.

upvoted 4 times

...

Walaakb

1 year, 8 months ago

I think you are right

upvoted 2 times

...

Load full discussion...

...

Ramye

Most Recent 9 months, 2 weeks ago

Ans are: _Im_Dns (starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m) This is because of the performance as clearly mentioned in the below article: _Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

upvoted 2 times

...

mspcute

1 year ago

Answer: 1. _Im_Dns 2. (starttime=ago(1d), responsecodename='NXDOMAIN') https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#unifying-parsers

upvoted 1 times

...

chepeerick

1 year, 1 month ago

Check tables here https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns

upvoted 1 times

...

danb67

1 year, 1 month ago

_Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m) The example uses filtering parameters, which improve ASIM performance. The same example without filtering parameters would look like this: _Im_Dns | where TimeGenerated > ago(1d) | where ResponseCodeName =~ "NXDOMAIN" | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

upvoted 1 times

...

danb67

1 year, 1 month ago

_Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m) https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#unifying-parsers

upvoted 1 times

...

donathon

1 year, 3 months ago

https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#unifying-parsers

upvoted 1 times

...

JoeP1

1 year, 4 months ago

What i see as a problem with the first answer of the second box is that the syntax is wrong. The Microsoft example many people cite is: (starttime=ago(1d), responsecodename='NXDOMAIN') the answer option is: (starttime=ago(1d).responsecodename='NXDOMAIN' It has a period instead of a comma after ago(1d) and is missing the ending parenthesis. Either the test creator is very sloppy or that is not the correct answer.

upvoted 2 times

davidli

1 year, 1 month ago

Yes, it is a dot instead of a comma, so "where TimeGenerated..." should be correct.

upvoted 1 times

...

omar_alhajsalem

1 year, 6 months ago

first option is right the second one must be starttime=ago..... because he says in the question it must improve and increase ASIM performance. https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#unifying-parsers

upvoted 2 times

...

Albonzi

1 year, 9 months ago

Looks correct. https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers _Im_Dns | where TimeGenerated > ago(1d) | where ResponseCodeName =~ "NXDOMAIN" | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

upvoted 4 times

ultraRunningCA

1 year, 8 months ago

you're right in the answer is on the page you've quoted, but the sample quote you've quoted is *without* filtering parameters... we want the query optimised... surely the second answer should be (starttime=ago(1d), responsecodename='NXDOMAIN')?

upvoted 2 times

...

liliap

1 year, 8 months ago

agree It asks to maximize query performance (| where ResponseCodeName =~ "NXDOMAIN") is the key line here

upvoted 2 times

...