Exam SC-200 All QuestionsBrowse all questions from this exam
Go to Exam
Question 138

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You are configuring Azure Sentinel.

You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.

Solution: You create a scheduled query rule for a data connector.

Does this meet the goal?

    Correct Answer: A

    Creating a scheduled query rule for a data connector in Azure Sentinel can meet the goal of creating an incident when a sign-in to an Azure virtual machine from a malicious IP address is detected. Scheduled query rules can be configured to run at specified intervals and generate alerts based on defined criteria. These alerts can then be set to automatically create incidents in Azure Sentinel, allowing the detection of malicious activities such as a sign-in from a malicious IP address.

Discussion
stromnessianOption: A

You can create scheduled rules from Data connector pages (Next steps tab). But the bottom line is whoever wrote this question should be fired on the spot.

evilprimeOption: B

CHATGPT: No. Creating a scheduled query rule for a data connector will not directly meet the goal of creating an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. To achieve the goal, you would need to create an analytics rule that queries the relevant logs for sign-ins to Azure virtual machines and uses a detection algorithm to identify malicious IP addresses. This rule should then be set up to trigger an incident when a malicious sign-in is detected.

Fez786

we dont care what chatGPT thinks. stop posting answers form chatGPT. kids.......

wsrudmenOption: A

When you configure a scheduled query on "Set rule logic" and "incident settings", you can define if raise alert and how you group into incident. NB: create a Microsoft incident creation rule is part of a scheduled query. Microsoft wording for this question is weird... I don't understand why all these NO in the discussion. If someone have a good explanation, please don't hesitate.

DChildsOption: B

B You create a Microsoft incident creation rule for a data connector.

im20batmanOption: A

A is Correct

JoeP1Option: B

I think the correct answer is B because the incident will be created when the query is scheduled to run, not at the time that the sign-in from the malicious IP was detected.

Whatsamattr81Option: A

I dunno... You can create alerts from scheduled queries. You can the create incidents from alerts. Question doesn't suggest you cant. Pretty sure (in preview) you can now create incidents based on this alone.

kakakayayayaOption: B

"You create a scheduled query rule for a data connector." Looks weird. We can't create scheduled query for data connectors. But we can analyze some tables and raise incident.

scfitzpOption: B

Just creating a scheduled query rule doesn't inherently meet the req's. Creating an NRT rule or an incident creation rule by default put you CLOSER to a correct answer; and another answer option in this specific series of questions is "creating an incident creation rule"

MducksOption: A

I think correct answer is B: https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts See heading: Enable incident generation automatically during connection

Ramye

Which one? You selected A and then saying correct answer B 🤷🏻‍♂️

chepeerickOption: A

Correct

donathonOption: B

I think the answer is no.

antonioktOption: A

A is Correct

amsiosoOption: B

NO After connecting your data sources to Microsoft Sentinel, create custom analytics rules to help discover threats and anomalous behaviors in your environment. Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes. https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom

arunkumOption: B

Why is it No Scheduled query rules are custom analytics rules to generate alerts on specific logic

M20200713

Because maybe for a threat detection the NRT (near real time) rule is better ? No 100% sur sorry https://docs.microsoft.com/en-US/azure/sentinel/near-real-time-rules

D_PaW

The question isn't about what is the best way to do it, only would it work and based on some of the answers above then yes I would work or what?

JoeP1

I think the answer is No because the requirement is to create the incident when the sign-in from a malicious IP is detected, not when the query is run after it was detected.

EltoothOption: B

Correct - No