SC-200 · Question #69
SC-200 Question #69: Real Exam Question with Answer & Explanation
The correct answer is B: No. No, this does not meet the goal. A scheduled query rule runs a KQL query on a defined schedule and can generate alerts and incidents, but it requires you to manually write all detection logic. To automatically detect sign-ins from malicious IP addresses to Azure VMs, the correct
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected. Solution: You create a scheduled query rule for a data connector. Does this meet the goal?
Options
- AYes
- BNo
Explanation
No, this does not meet the goal. A scheduled query rule runs a KQL query on a defined schedule and can generate alerts and incidents, but it requires you to manually write all detection logic. To automatically detect sign-ins from malicious IP addresses to Azure VMs, the correct approach is a Microsoft incident creation rule based on Microsoft Defender for Cloud (Azure Defender), which already has built-in threat intelligence to identify malicious IPs and generates security alerts that Sentinel ingests. A scheduled query rule on a data connector does not provide this built-in malicious IP enrichment and automated detection.
Topics
Community Discussion
No community discussion yet for this question.