ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 5 question 10 discussion

Actual exam question from Microsoft's SC-200
Question #: 10
Topic #: 5
[All SC-200 Questions]

DRAG DROP
-

You have a Microsoft Sentinel workspace that contains the following Advanced Security Information Model (ASIM) parsers:

• _Im_ProcessCreate
• imProcessCreate

You create a new source-specific parser named vimProcessCreate.

You need to modify the parsers to meet the following requirements:

• Call all the ProcessCreate parsers.
• Standardize fields to the Process schema.

Which parser should you modify to meet each requirement? To answer, drag the appropriate parsers to the correct requirements.

Each parser may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by g_man_rap at Aug. 19, 2024, 8:08 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Optimizor_IT
2 months, 1 week ago
Both requirements point to modifying the same parser: imProcessCreate. Here’s why: Calling All Parsers: imProcessCreate can be updated to invoke _Im_ProcessCreate (for built-in sources) and vimProcessCreate (your source), aggregating all ProcessCreate data. Standardizing Fields: imProcessCreate, as the normalizing layer, can then map the combined output to the Process schema.
upvoted 1 times
...
rkrau
4 months, 2 weeks ago
Call all the ProcessCreate parsers: Modify the _Im_ProcessCreate parser. This is the unifying parser that calls all source-specific parsers related to the ProcessCreate schema. Standardize fields to the Process schema: Modify the vimProcessCreate parser. This is your new source-specific parser, and you need to ensure it maps the source event fields to the standardized Process schema
upvoted 1 times
...
g_man_rap
9 months, 4 weeks ago
Call all the ProcessCreate parsers: The appropriate parser here is vimProcessCreate because it's the custom parser you created for your specific source, and it should be responsible for calling the other ProcessCreate parsers to ensure all relevant data is processed. Standardize fields to the Process schema: The parser that should be modified for standardizing fields is _Im_ProcessCreate. This parser is generally responsible for normalizing data fields according to the ASIM Process schema. Since it's a standard parser, it should already be configured to ensure fields match the Process schema.
upvoted 4 times
Tuitor01
6 months, 1 week ago
Unifying parsers contain a union directive to make sure all the specific parsers are called when invoked. There are built-in read-only parsers (starting with _) and workspace built-in parsers that starts with "Im". For that reason 1) : imProcessCreate and 2:) vimProcessCreate since it's your custom parser you're the one responsible for correctly mapping your tables and normalizing your data source Finally custom Asim custom parsers are deployed at workspace level.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel