ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 50 discussion

Actual exam question from Microsoft's SC-200
Question #: 50
Topic #: 3
[All SC-200 Questions]

You have a Microsoft Sentinel workspace.

You have a query named Query1 as shown in the following exhibit.



You plan to create a custom parser named Parser1.

You need to use Query1 in Parser1.

What should you do first?

  • A. Remove line 5.
  • B. Remove line 2.
  • C. In line 3, replace the !contains operator with the !has operator.
  • D. In line 4, remove the TimeGenerated predicate.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by ACSC at Jan. 22, 2023, 7:15 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PhoenixSlasher
Highly Voted 10 months ago
Selected Answer: B
B due to Parsing happens at query time, hense Query time parsing meaning we cannot parse a specific time.
upvoted 10 times
...
herta
Highly Voted 10 months, 2 weeks ago
Selected Answer: B
i will go for B as well A parser should not filter by time. The query which uses the parser will apply a time range. https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers
upvoted 5 times
...
HAjouz
Most Recent 3 months, 3 weeks ago
Selected Answer: A
The key issue here is that parsers in Sentinel expect the raw data as input, not the formatted or sorted results of a query.The first thing you need to do is remove line 5, which is the sorting operation. This will ensure that the raw data is passed to the parser. Therefore, the correct answer is A. Remove line 5.
upvoted 1 times
...
ACSC
10 months, 4 weeks ago
Selected Answer: B
In Microsoft Sentinel, parsing and normalizing happen at query time. https://learn.microsoft.com/en-us/azure/sentinel/normalization-parsers-overview
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel