SC-200 · Question #328
SC-200 Question #328: Real Exam Question with Answer & Explanation
The correct answer is D: IP address. From a Microsoft Sentinel incident, an IP address entity can be directly labeled as an Indicator of Compromise (IoC) because it represents a specific observable that can be used for threat detection and prevention.
Question
You have a Microsoft Sentinel workspace named SW1. In SW1, you investigate an incident that is associated with the following entities: - Host - IP address - User account - Malware name Which entity can be labeled as an indicator of compromise (IoC) directly from the incident's page?
Options
- Amalware name
- Bhost
- Cuser account
- DIP address
Explanation
From a Microsoft Sentinel incident, an IP address entity can be directly labeled as an Indicator of Compromise (IoC) because it represents a specific observable that can be used for threat detection and prevention.
Common mistakes.
- C. A 'user account' is an affected identity. While a compromised user account is central to an incident, the user account name itself is not a specific observable that functions as an IoC in the context of threat intelligence feeds; rather, suspicious login IPs or activity patterns associated with the user might be.
Concept tested. Microsoft Sentinel Incident entities and IoC creation
Reference. https://learn.microsoft.com/en-us/azure/sentinel/create-custom-indicators-from-incidents
Community Discussion
No community discussion yet for this question.