Exam SC-200 topic 3 question 46 discussion

C. Common Event Format connector. Minimize the parsing required to read fog data. CEF connector sends Common Event Format data which means easy to read. As for administrative effort. You only need to configure the CEF server to listen for syslog from all the linux vms and then send the CEF data to Sentinel.

Linux = Syslog, most of the time

It says minimized administrative effort and parsing. so answer is C (CEF)

I go for D, here is what chatgpt says: While Syslog Connector (D) minimizes effort for Linux VMs out of the box, Common Event Format (CEF) Connector (C) may be the preferred answer if your environment has a mandate for standardized log formats (CEF) or if someone is familiar with its parsing benefits for Sentinel integration. If people insist C is the answer, it’s likely because: CEF is more structured and standard for parsing logs in Sentinel. Organizations that standardize on CEF might already be leveraging this. Decision: If minimizing setup effort is your top priority: D. Syslog Connector. If aligning with structured CEF log ingestion is required: C. Common Event Format (CEF).

C. CEF Connector CEF connector writes to the CommonSecurityLog table with the fields already parsed --- To collect events from Linux-based devices: - Syslog daemon in the devices forward events to Azure Monitor Agents (AMA) - AMA can receive plain Syslog or CEF events - AMA forwards to Log Analytics workspace

Answer is C. CEF message format does not require parsing in Sentinel. Syslogs messages from Syslog connector, will require an additional parsing using a parser. https://learn.microsoft.com/en-us/training/modules/connect-syslog-data-sources-to-azure-sentinel/5-parse-syslog-data

“Minimize the parsing required to read fog data“ is the key to choosing option C and not D

This format includes more information than the standard Syslog format, and it presents the information in a parsed key-value arrangement. The Log Analytics Agent accepts CEF logs and formats them especially for use with Microsoft Sentinel, before forwarding them on to your Microsoft Sentinel workspace. CEF will produce more logs thus more data to parse

The advantage of CEF over Syslog is that it ensures the data is normalized making it more immediately useful for analysis using Sentinel. Explanation 👇 https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/best-practices-for-common-event-format-cef-collection-in-azure/ba-p/969990

"Evert"? Is that a typo?

I go with D.

Option Correct

D: syslog ptions like a Log Analytics Data Collector API (Option A) or REST API integration (Option B) may require more custom configurations and scripting to handle the data collection and parsing

Linux natively outputs Syslog messages, making it a seamless choice for monitoring with Azure Sentinel. Configuring Linux for CEF often involves extra steps, increasing effort. Syslog, given its intrinsic compatibility with Linux, reduces complexity and ensures a smoother integration process with Sentinel, fulfilling the need for minimal administration and parsing

C is correct

To read 'fog' data you must need to use Common 'Evert' Format

"This format includes more information than the standard Syslog format, and it presents the information in a parsed key-value arrangement." Source: https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format "If your appliance supports Common Event Format (CEF) over Syslog, a more complete data set is collected, and the data is parsed at collection. You should choose this option and follow the instructions in Get CEF-formatted logs from your device or appliance into Microsoft Sentinel." Source: https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog