ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 4 question 17 discussion

Actual exam question from Microsoft's SC-200
Question #: 17
Topic #: 4
[All SC-200 Questions]

HOTSPOT
-

You have an Azure subscription named Sub1. Sub1 contains a Microsoft Sentinel workspace named SW1 and a virtual machine named VM1 that runs Windows Server. SW1 collects security logs from VM1 by using the Windows Security Events via AMA connector.

You need to limit the scope of events collected from VM1. The solution must ensure that only audit failure events are collected.

How should you complete the filter expression for the connector? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Adel614 at April 21, 2025, 10:21 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Adel614
1 month, 3 weeks ago
Correct. Ref: https://learn.microsoft.com/en-us/azure/azure-monitor/vm/data-collection-windows-events#extract-xpath-queries-from-windows-event-viewer "Collect Security Log events with Event ID = 4648 and a process name of consent.exe: Security!*[System[(EventID=4648)]] and *[EventData[Data[@Name='ProcessName']='C:\Windows\System32\consent.exe']]" "Collect all success and failure Security events except for Event ID 4624 (Successful logon): Security!*[System[(band(Keywords,13510798882111488)) and (EventID != 4624)]]"
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel