Exam SC-200 topic 3 question 41 discussion

B is the correct answer

To identify the geolocation information corresponding to the incident "Brute force attack against Azure Portal analytics rule has been triggered" in Microsoft Sentinel, you should review the details of the IPCustomEntity entity associated with the incident. The IPCustomEntity typically contains information related to IP addresses, including geolocation data such as country or region. By examining the details of the IPCustomEntity entity, you can retrieve the geolocation information associated with the IP addresses involved in the brute force attack. Therefore, option B is the correct choice for identifying the geolocation information corresponding to the incident

Option B

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident. According to this article, Microsoft Defender for Cloud detects brute force attacks and triggers alerts that contain the attacking IP address in the ‘entities’ field. You can use this IP address to find the geolocation information by reviewing the details of the IPCustomEntity entity associated with the incident.

B - IPCustomEntity, you can even create a custom playbook to get one from the maxmind, which is more precise than microsoft. A is outdated and even in the past was not an efficient choice if you had a multiple incidents and various attack sources... You need to identify the geolocation information that corresponds to the incident.

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident. The IPCustomEntity entity associated with the incident should provide the IP address that triggered the brute force attack. You can then use a geolocation lookup tool to determine the country or region associated with that IP address

In the details of an incident, if you click on the IP entity it shows you the information under Geolocation information

Verified. Answer is B

A. From Overview, review the Potential malicious events map. The Potential malicious events map in the Overview section of Microsoft Sentinel can display geolocation information for incidents, such as a brute force attack against an Azure Portal analytics rule. By reviewing this map, you can identify the location from where the attack is originating.

Its B, confirmed

Once an incident is created, you can view more details of the incident by clicking on the View full details button, then navigate to the investigation page. You can investigate all entities for this alert such as IP addresses, accounts, and so on. https://charbelnemnom.com/detect-a-brute-force-attack-with-azure-sentinel/

Currently, this question is outdated. It can't be in the Overview (A) because the Map was removed from there. Additionally, the question is asking to identify the geolocation information that corresponds to the incident. So, I opt for B, inside Investigation and selecting the IP, in entities you can find Geolocation info.

https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization

Correct answer is A - once you click on the red or orange circle within the map it forwards you to logs analytics where the query is shown, this has the malicious IPs, country, confidence and other columns.

You need to identify the geolocation information that corresponds to the incident. How will you do this from the overview, i think it must be answer B. You go the the incident you click in de IP under Entities in the Details page and you will see the geolocation information related to the incident.

I vote for d- From Investigation, review insights on the incident entity.