Exam SC-200 topic 3 question 8 discussion

Correct - every sentinel deployment must have a workspace - and the union command is used to join multiple workspaces together.

Answer is B and E - you install sentinel on each workspace and then query using an union. An alternative to this is to use Azure Lighthouse.

100% the answer is B and E It's stated in Microsoft's documentation: https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants Under the "Include cross-workspace queries in scheduled analytics rules" section: "You must deploy Microsoft Sentinel on every workspace referenced in the query." Under the "Hunt across multiple workspaces" section: "Cross-workspace hunting capabilities enable your threat hunters to create new hunting queries, or adapt existing ones, to cover multiple workspaces, by using the union operator and the workspace() expression as shown above."

B AND E

Correct BE

B and C. Here is why: Option B is correct because you can query multiple workspaces in a single query by using the workspace() expression to refer to a table in a different workspace and the union operator to combine the results from multiple tables. Option C is correct because you can use the alias statement to simplify cross-workspace queries by saving a long reference to a table in another workspace as a function. Option A is not correct because adding the Security Events connector to the Azure Sentinel workspace does not enable you to query across multiple workspaces. Option D is not correct because there is no such thing as the resource expression or the alias operator in Kusto Query Language (KQL) Option E is not correct because adding the Azure Sentinel solution to each workspace does not allow you to perform cross-workspace hunting queries.

You can include up to 20 workspaces in a single query. However, for good performance, we recommend including no more than 5. You must deploy Microsoft Sentinel on every workspace referenced in the query.

According to the URL in the answer: Use the union operator alongside the workspace( ) expression to apply a query across tables in multiple workspaces. You must deploy Microsoft Sentinel on every workspace referenced in the query.

I see no reason why you would need more sentinel instances. Follow the design decision tree here: https://learn.microsoft.com/en-us/azure/sentinel/design-your-workspace-architecture#decision-tree I think B is obviously part of the solution. The question is what other choice. I am going with A. It makes more sense to me than making additional Sentinel instances. I wonder if you made all of them, which one would you be hunting in? A and B for me.

chatgpt says 'B E' using exact question with given answers. E. You need to add the Azure Sentinel solution to each Log Analytics workspace that you want to search. This allows Azure Sentinel to collect data from the workspace and store it in the Azure Sentinel workspace.

. Create a query that uses the workspace expression and the union operator, and D. Create a query that uses the resource expression and the alias operator Create a query that uses the workspace expression and the union operator to combine the data from all the Log Analytics workspaces. For example: union * | where TimeGenerated > ago(1d) Create a query that uses the resource expression and the alias operator to query data from specific resources across all the subscriptions. For example AzureActivity | where ResourceProviderValue == "Microsoft.Compute" | where OperationNameValue == "Microsoft.Compute/virtualMachines/delete" | project SubscriptionId, ResourceGroup, Resource, Caller, TimeGenerated, ActivityStatus | summarize count() by Resource

I think it's A B, A - security events connector is called "Security events via legacy agent" and it's Legacy version based on the Microsoft Monitor Agent / Log Analytics" and the question states that windows events of the VM's are stored in a log analytics workspace. Reference: https://jeffreyappel.nl/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr/

Should the answer include a data connector if it is a new Sentinel?

Your company has an Azure subscription that hosts resources in multiple Azure regions in different countries. What are two primary drawbacks of implementing single-tenant with regional workspaces Microsoft Sentinel in your environment as compared to the single-tenant single workspace option? Each correct answer presents part of the solution. Limited support for querying data across workspaces Increased cost of network bandwidth Lack of a single pane of glass Increased cost of compute services Increased deployment complexity

let subscriptions = [subscription1, subscription2, ...]; union withsource=source ( workspace("workspace1").SecurityEvent | where TimeGenerated >= ago(1d), workspace("workspace2").SecurityEvent | where TimeGenerated >= ago(1d), ... )

Questions states, "All the subscriptions use the same Azure Active Directory (Azure AD) tenant" - from MS - Multiple Azure tenants Microsoft Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace. Since we are using the same AD the answer should be A and B. Also it would be a pain to manage all these Sentinel instances. https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

Correct. LAs need sentinels and then query with union