SC-200 Question #251: Real Exam Question with Answer & Explanation

The correct answer is C: a UEBA activity template. To detect common security scenarios with minimal administrative effort when UEBA is enabled, using a built-in UEBA activity template is the most efficient solution.

Submitted by yasin.bd· Apr 18, 2026Configure protections and detections

Question

You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled for Signin Logs. You need to ensure that failed interactive sign-ins are detected. The solution must minimize administrative effort. What should you use?

Options

Aa scheduled alert query
Bthe Activity Log data connector
Ca UEBA activity template
Da hunting query

Explanation

To detect common security scenarios with minimal administrative effort when UEBA is enabled, using a built-in UEBA activity template is the most efficient solution.

Common mistakes.

A. A scheduled alert query would require manual creation and maintenance of the KQL query and alert logic, increasing administrative effort compared to a template.
B. The Activity Log data connector collects Azure activity logs, which are different from Azure AD Signin Logs and not directly relevant to detecting failed interactive sign-ins via UEBA in this context.
D. A hunting query is used for proactive threat hunting and investigation, not for automatically detecting and alerting on common, well-defined security incidents with minimal administrative effort.

Concept tested. Microsoft Sentinel UEBA activity templates

Reference. https://learn.microsoft.com/en-us/azure/sentinel/monitor-entities-with-ueba#investigate-activities-across-users-and-entities

Topics

#Microsoft Sentinel#UEBA#Detection#Signin Logs

Community Discussion

No community discussion yet for this question.

Full SC-200 Practice Browse All SC-200 Questions