Exam SC-200 topic 7 question 15 discussion

Actual exam question from Microsoft's SC-200

Question #: 15
Topic #: 7

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. WS1 has the Azure Activity connector and the Microsoft Entra ID connector configured.

You need to investigate which accounts have the most alerts and any corresponding incident information for each alert. The solution must minimize administrative effort.

What should you do first in WS1?

A. Use User and Entity Behavior Analytics (UEBA) to detect anomalies.
B. Enable User and Entity Behavior Analytics (UEBA).
C. From Content hub, install the Microsoft Purview insider risk management solution.
D. From Content hub, install Cloud Identity Threat Protection Essentials.

Show Suggested Answer

Suggested Answer: B 🗳️

by Dabinlo at Jan. 13, 2025, 8:17 a.m.

Comments

Submit Cancel

Dabinlo

3 months, 3 weeks ago

Selected Answer: B

UEBA needs to be enabled first before it can be used to detect anomalies. C and D are unrelated. So the answer is B

upvoted 4 times

Adel614

3 weeks, 5 days ago

To complete your comment, "Cloud Identity Threat Protection Essentials" uses the BehaviorAnalytics table which stores enriched events for Sentinel UEBA (https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/behavioranalytics). Therefore, "D" cannot be a "first" action. "B" is a first action.

upvoted 1 times

...

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 7 question 15 discussion

Comments

Dabinlo

Adel614

SY0-701