SC-200 Question #130: Real Exam Question with Answer & Explanation

Question

You have a Microsoft Sentinel workspace. You need to prevent a built-in Advance Security information Model (ASIM) parse from being updated automatically. What are two ways to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

• ARedeploy the built-in parse and specify a CallerContext parameter of any and a
• BCreate a hunting query that references the built-in parse.
• CRedeploy the built-in parse and specify a CallerContext parameter of built-in.
• DBuild a custom unify parse and include the build- parse version
• ECreate an analytics rule that includes the built-in parse

Explanation

To prevent a built-in Advanced Security Information Model (ASIM) parser from being automatically updated, you can either redeploy it as a custom workspace parser or create your own custom unifying parser.

Common mistakes.

• B. Creating a hunting query that references an ASIM parser consumes the parser's output but does not alter the parser's update mechanism or prevent it from being automatically updated.
• C. Redeploying a built-in parser and explicitly setting the CallerContext parameter to built-in would likely retain its status as a built-in parser, or revert to default behavior, which means it would still be subject to automatic updates.
• E. An analytics rule uses ASIM parsers to detect threats and generate alerts but does not control the update behavior of the parsers themselves or modify their status as built-in or custom.

Concept tested. Managing ASIM parser updates and customization

Reference. https://learn.microsoft.com/en-us/azure/sentinel/manage-parsers

No community discussion yet for this question.