ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 91 discussion

Actual exam question from Microsoft's SC-200
Question #: 91
Topic #: 3
[All SC-200 Questions]

You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled for Signin Logs.

You need to ensure that failed interactive sign-ins are detected. The solution must minimize administrative effort.

What should you use?

  • A. a scheduled alert query
  • B. the Activity Log data connector
  • C. a UEBA activity template
  • D. a hunting query
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by danb67 at Oct. 23, 2023, 1:23 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Alizade
Highly Voted 1 year, 7 months ago
Selected Answer: C
The correct answer is C. a UEBA activity template.
upvoted 10 times
Tuitor01
6 months, 2 weeks ago
I agree, there is a template literally named 'Failed * Interactive log-ins to host
upvoted 2 times
...
...
talosDevbot
Most Recent 8 months, 2 weeks ago
Selected Answer: A
Answer is A) scheduled alert query You perform a query that looks for this activity in the BehaviorAnalytics and IdentityInfo tables It's not UEBA activity template because once you create a user-defined activity using the template, UEBA will stop using all the other out-of-the box activities it's already running. This means that if you use a template for one specific activity, you would have to recreate all the other activites/detections you want for UEBA.
upvoted 2 times
HAjouz
3 months, 4 weeks ago
A. a scheduled alert query: While you can create scheduled alert queries to detect failed sign-ins, this requires manual creation and maintenance of the query. UEBA activity templates offer a more automated and efficient solution.
upvoted 1 times
...
talosDevbot
8 months ago
https://learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities?tabs=azure
upvoted 1 times
...
...
user636
10 months ago
Selected Answer: A
I'll go for Answer A. You can create a scheduled query rule & use the BehaviorAnalytics table to detect the failed sign-ins. Ref: https://learn.microsoft.com/en-us/azure/sentinel/anomalies-reference#anomalous-failed-sign-in I've never heard of "UEBA activity template" in Sentinel. There are indeed "Rule templates", that can be used to create analytics rule. The users who votes for "UEBA activity template", can please provide any reference to Sentinel official documentation?
upvoted 1 times
Tuitor01
7 months ago
Home>Microsoft SentinelEntityBehavior>Customize Sentinel Activity, select tab named 'Activity templates' next to 'My activities'
upvoted 1 times
...
...
li_ballesteros
11 months ago
Selected Answer: C
The question says "minimize effort" so I go for a template
upvoted 2 times
...
smosmo
1 year ago
Selected Answer: C
Answer ist C, UEBA
upvoted 1 times
...
albatros06
1 year, 1 month ago
Selected Answer: C
UEBA activity templates in Microsoft Sentinel offer pre-built detection logic specifically designed for security scenarios like failed sign-ins.
upvoted 2 times
...
wheeldj
1 year, 1 month ago
Selected Answer: A
Scheduled alert query
upvoted 1 times
...
Orel123
1 year, 4 months ago
Tested in the portal. If you go to Microsoft Sentinel | content hub and search for UEBA you will find it. there are built-in queries inside it
upvoted 3 times
user636
10 months ago
The content hub solution do not work unless you install them. The analytics rules in the content hub solution needs to be installed in order for them to work.
upvoted 1 times
...
Ramye
1 year, 3 months ago
When you search it shows UEBA Essential and User And Entity Behavior Analytics but these are not a UEBA activity template.
upvoted 2 times
...
...
luisM14
1 year, 4 months ago
Selected Answer: A
correct
upvoted 1 times
...
DCT
1 year, 5 months ago
Selected Answer: A
a scheduled alert query
upvoted 2 times
...
Murtuza
1 year, 5 months ago
The given answer A is correct because the word DETECT implies using queries.
upvoted 2 times
...
shadowdark83
1 year, 7 months ago
Selected Answer: C
I think it is C, there is a template called "User Accounts - Sign in Failure due to CA Spikes" with the description: "Identifies spike in failed sign-ins from user accounts due to conditional access policied. Spike is determined based on Time series anomaly which will look at historical baseline values. Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results."
upvoted 4 times
...
Fez786
1 year, 7 months ago
Selected Answer: A
scheduled query alert
upvoted 1 times
Fez786
1 year, 7 months ago
A scheduled alert query*
upvoted 1 times
...
...
chepeerick
1 year, 7 months ago
Correct option
upvoted 1 times
...
danb67
1 year, 8 months ago
Going for A. B: Data connector for subscription log activties. Doesn't seem relevant. C: Not a thing?? D: Would work I guess but we would have to run manually and not meeting the ask to minmise admin effort.
upvoted 4 times
meg4321
1 year, 2 months ago
c: UEBA Activity template exists
upvoted 2 times
...
Anil0512
1 year, 7 months ago
I second this.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel