Exam SC-200 topic 3 question 16 discussion

Correct answer - C. Cross-workspace queries can now be included in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse) as in the case of an MSSP, subject to the following limitations: * Up to 20 workspaces can be included in a single query. * Azure Sentinel must be deployed on every workspace referenced in the query. * Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist only in the workspace where the rule was defined. They will not be displayed in any of the other workspaces referenced in the query. https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-workspace-workbooks

To ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to the Log Analytics workspace named LogsWest, you should first: D. Create a data connector in Azure Sentinel. Creating a data connector will allow Azure Sentinel to connect to the LogsWest workspace and query the data stored there. This is a necessary step to integrate the workspace with your existing Azure Sentinel deployment and enable the scheduled analytics rules to generate alerts based on the data in LogsWest.

Unless you are using a central SOC or Lighthouse, you need to deploy Sentinel on every workspace referenced in the query: https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#include-cross-workspace-queries-in-scheduled-analytics-rules

C. Add Azure Sentinel to a workspace. Why this is incorrect: Adding Azure Sentinel to a workspace is the initial step to enable Sentinel capabilities on that particular Log Analytics workspace. However, since the existing deployment is already in the East US region and you need to work with the LogsWest workspace, this option doesn't solve the problem of querying across regions. D. Create a data connector in Azure Sentinel. Why this is correct: To use data from the LogsWest Log Analytics workspace within your Azure Sentinel deployment in the East US, you need to create a data connector in Azure Sentinel. A data connector allows you to ingest data from various sources, including other Log Analytics workspaces, into Azure Sentinel. Once the data connector is set up, Azure Sentinel can generate alerts based on queries to the LogsWest workspace.

Correct

To use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to LogsWest, you need to first create a data connector in Azure Sentinel. A data connector is a way to connect data sources to Azure Sentinel, so that you can collect and analyze data from various sources such as Azure services, Microsoft 365, or other cloud or on-premises solutions. By creating a data connector, you can enable Azure Sentinel to ingest data from LogsWest and use it for scheduled analytics rules. Therefore, the correct answer is D. Create a data connector in Azure Sentinel

https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard >> So since you need create the workspace first then logically you should do C first followed by D. So my answer is C.

To use scheduled analytics rules in an existing Azure Sentinel deployment to generate alerts based on queries to a Log Analytics workspace in a different region, you need to create a data connector in Azure Sentinel. Therefore, the correct answer is: D. Create a data connector in Azure Sentinel.

I'm going for C here.