Exam SC-200 topic 3 question 68 discussion

D is correct for a large number of parsers: https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#deploy-parsers

To deploy a large number of parsers, we recommend using parser ARM templates, as follows: 1. Create a YAML file based on the relevant template for each schema and include your query in it. Start with the YAML template relevant for your schema and parser type, filtering or parameter-less. 2. Use the ASIM Yaml to ARM template converter to convert your YAML file to an ARM template. 3. If deploying an update, delete older versions of the functions using the portal or the function delete PowerShell tool. 4. Deploy your template using the Azure portal or PowerShell. https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#deploy-parsers

Correct option

option D

B. Create a JSON file based on the DNS template. This is because ASIM parsers are written in JSON format, and you need to create a custom parser for each of your 200 DNS sources based on the DNS template provided in the GitHub repository

Answer is D. @exmITQS you need to look at the link from @smosmo. The question is about a large number of parsers... this is specifically mentioned in the linked article Deploy parsers manually by copying them to the Azure Monitor Log page and saving the query as a function. This method is useful for testing. For more information, see Create a function. To deploy a large number of parsers, we recommend using parser ARM templates, as follows: Create a YAML file based on the relevant template for each schema and include your query in it. Start with the YAML template relevant for your schema and parser type, filtering or parameter-less. Use the ASIM Yaml to ARM template converter to convert your YAML file to an ARM template. If deploying an update, delete older versions of the functions using the portal or the function delete PowerShell tool. Deploy your template using the Azure portal or PowerShell. You can also combine multiple templates to a single deploy process using linked templates

D is the correct one.

. Create a JSON file based on the DNS template. Also, while both JSON and YAML can represent the same data, the JSON format is more widely used in Azure Sentinel and the Azure platform in general.