SC-200 Question #200: Real Exam Question with Answer & Explanation

Question

You have a Microsoft Sentinel workspace. You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically. What are two ways to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

• ACreate a hunting query that references the built-in parser.
• BBuild a custom unifying parser and include the built-in parser version.
• CRedeploy the built-in parser and specify a CallerContext parameter of Any and a
• DRedeploy the built-in parser and specify a CallerContext parameter of Built-in.
• ECreate an analytics rule that includes the built-in parser.

Explanation

Built-in ASIM parsers in Microsoft Sentinel are subject to automatic updates when new versions are released. To pin to a specific version and prevent automatic updates, two approaches work. Option B - building a custom unifying parser that explicitly references the specific built-in parser version - locks the version in use, as the custom parser controls which underlying parser is called. Option C - redeploying the built-in parser with a CallerContext parameter set to 'Any' - overrides the managed deployment and fixes the parser to the redeployed version, preventing the Sentinel backend from replacing it. Option D (CallerContext of 'Built-in') does not achieve version pinning. Options A and E (hunting queries and analytics rules that reference the parser) do not affect the parser's update lifecycle.

No community discussion yet for this question.