ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 18 discussion

Actual exam question from Microsoft's SC-200
Question #: 18
Topic #: 3
[All SC-200 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a scheduled query rule for a data connector.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Eltooth at Sept. 27, 2021, 2:51 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
stromnessian
Highly Voted 3 years, 6 months ago
You can create scheduled rules from Data connector pages (Next steps tab). But the bottom line is whoever wrote this question should be fired on the spot.
upvoted 49 times
Tuitor01
8 months, 1 week ago
I agree if the "for a data connector" means using logs/data coming from a data connector.
upvoted 1 times
...
...
a_kto_to
Most Recent 4 months ago
Selected Answer: A
ChatGTP: YES, scheduled KQL query ✅ Correct approach: Create a Scheduled Analytics Rule in Sentinel using KQL.
upvoted 1 times
...
fnwilliamson
9 months, 2 weeks ago
Selected Answer: B
Answer is B
upvoted 3 times
...
talosDevbot
10 months, 1 week ago
Selected Answer: B
Answer is: No You write a schedule analytics rule for a table (like SecurityEvents table). The "Windows Security Events via AMA" connector write to the SecurityEvents table. This connector collects security events from Windows machines such as sign in events. You will write a scheduled/NRT analytics rule that will have a KQL query on the SecurityEvents table, looking for IP addresses in sign in events.
upvoted 3 times
...
dyavlito
11 months, 1 week ago
ChatGPT 4: Yes, this solution meets the goal. Creating a scheduled query rule in Azure Sentinel for a data connector can help detect specific conditions, such as sign-ins from malicious IP addresses. You can configure the query to monitor sign-ins to Azure virtual machines and set the rule to trigger an incident when a sign-in is detected from a malicious IP, which is aligned with the goal.
upvoted 1 times
...
scfitzp
1 year, 1 month ago
Just creating a scheduled query rule doesn't inherently meet the req's. Creating an NRT rule or an incident creation rule by default put you CLOSER to a correct answer; and another answer option in this specific series of questions is "creating an incident creation rule"
upvoted 1 times
...
DChilds
1 year, 3 months ago
B You create a Microsoft incident creation rule for a data connector.
upvoted 3 times
...
Mducks
1 year, 6 months ago
Selected Answer: A
I think correct answer is B: https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts See heading: Enable incident generation automatically during connection
upvoted 1 times
Ramye
1 year, 5 months ago
Which one? You selected A and then saying correct answer B 🤷🏻‍♂️
upvoted 5 times
...
...
im20batman
1 year, 8 months ago
Selected Answer: A
A is Correct
upvoted 3 times
...
chepeerick
1 year, 9 months ago
Correct
upvoted 1 times
...
donathon
1 year, 11 months ago
Selected Answer: B
I think the answer is no.
upvoted 3 times
...
JoeP1
2 years ago
Selected Answer: B
I think the correct answer is B because the incident will be created when the query is scheduled to run, not at the time that the sign-in from the malicious IP was detected.
upvoted 3 times
...
evilprime
2 years, 4 months ago
CHATGPT: No. Creating a scheduled query rule for a data connector will not directly meet the goal of creating an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. To achieve the goal, you would need to create an analytics rule that queries the relevant logs for sign-ins to Azure virtual machines and uses a detection algorithm to identify malicious IP addresses. This rule should then be set up to trigger an incident when a malicious sign-in is detected.
upvoted 4 times
Fez786
1 year, 11 months ago
we dont care what chatGPT thinks. stop posting answers form chatGPT. kids.......
upvoted 23 times
...
...
antoniokt
2 years, 5 months ago
Selected Answer: A
A is Correct
upvoted 2 times
...
wsrudmen
2 years, 5 months ago
Selected Answer: A
When you configure a scheduled query on "Set rule logic" and "incident settings", you can define if raise alert and how you group into incident. NB: create a Microsoft incident creation rule is part of a scheduled query. Microsoft wording for this question is weird... I don't understand why all these NO in the discussion. If someone have a good explanation, please don't hesitate.
upvoted 4 times
...
amsioso
2 years, 11 months ago
NO After connecting your data sources to Microsoft Sentinel, create custom analytics rules to help discover threats and anomalous behaviors in your environment. Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes. https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
upvoted 1 times
...
Whatsamattr81
3 years ago
I dunno... You can create alerts from scheduled queries. You can the create incidents from alerts. Question doesn't suggest you cant. Pretty sure (in preview) you can now create incidents based on this alone.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel