Microsoft Security Operations Analyst Associate SC-200 Practice Question
You are creating a scheduled query analytics rule in Microsoft Sentinel that returns firewall events. The query result includes a column named src_ip that contains the source IPv4 address for each event. You need Microsoft Sentinel to recognize those values as IP entities so that any future incidents created by the rule display the Entity page and benefit from UEBA enrichment. What should you configure in the analytics rule before saving it?
Define a data transformation in Log Analytics that renames the src_ip column to SourceNetworkAddress before the rule runs.
Create a Logic App playbook that calls the Sentinel Entities REST API to submit the src_ip value as an entity.
Add an entity mapping that maps the src_ip column to the IP entity type with the field name Address.
Enable the "Automatically extract host information" option in the incident settings of the workspace.
Microsoft Sentinel can only recognize data in a query result as entities when you explicitly map the relevant columns to one of the supported entity types during rule creation. In the Set rule logic step, you can add an entity mapping and choose the entity type (such as IP) and then specify which column in the query output contains the corresponding value. For the IP entity type, the required field is Address. Mapping the src_ip column to the IP entity's Address field ensures each matching value is treated as an IP entity, unlocking entity pages, graphs, and UEBA insights for incidents generated by the rule. The other options do not achieve this: a playbook would run only after an alert is created, data transformations in Log Analytics do not automatically apply entity semantics, and there is no workspace-level "Automatically extract host information" setting for entity detection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is entity mapping in Microsoft Sentinel?
Open an interactive chat with Bash
What is UEBA enrichment in Microsoft Sentinel?
Open an interactive chat with Bash
How does entity mapping differ from data transformations in Log Analytics?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .