ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 5 question 11 discussion

Actual exam question from Microsoft's SC-200
Question #: 11
Topic #: 5
[All SC-200 Questions]

HOTSPOT
-

You have on-premises servers that run Windows Server.

You have a Microsoft Sentinel workspace named SW1. SW1 is configured to collect Windows Security log entries from the servers by using the Azure Monitor Agent data connector.

You plan to limit the scope of collected events to events 4624 and 4625 only.

You need to use a PowerShell script to validate the syntax of the filter applied to the connector.

How should you complete the script? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by renrenren at May 17, 2024, 10:49 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
inkedia3
Highly Voted 10 months ago
question in exams 08/04. Answer is correct
upvoted 5 times
...
brichardson14
Highly Voted 1 year ago
Seems correct https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal#filter-events-using-xpath-queries
upvoted 5 times
...
OneplusOne
Most Recent 2 weeks ago
Here is a blog detailing xpath query creation: https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/how-to-create-an-xpath-filter-for-a-data-collection-rule/4252748
upvoted 1 times
...
Optimizor_IT
2 months ago
Correct. $events = 'Security!*[System[(EventID=4624 or EventID=4625)]]' Get-WinEvent -LogName 'Security' -FilterXPath $events
upvoted 1 times
...
HAjouz
3 months, 1 week ago
Get-WinEvent [-MaxEvents <Int64>] [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXml] <XmlDocument> [-Oldest] [<CommonParameters>]
upvoted 1 times
...
smanzana
10 months, 2 weeks ago
Correct
upvoted 2 times
...
renrenren
1 year ago
Not 1st option: A, 2nd option: -FilterHashtable?
upvoted 2 times
VeiN
7 months, 2 weeks ago
No becouse Data Collection Rule where you define for event sources send via AMA uses xPath filter which you need to copy into the PS Get-WinEvent. Please check bellow article & the tip. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-windows-events#extract-xpath-queries-from-windows-event-viewer
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel