Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

You have installed the Azure Monitor Agent (AMA) on 100 Azure virtual machines and onboarded the machines to Microsoft Sentinel. To minimize ingestion costs, you must collect only Windows Security events with Event IDs 4624 and 4625 (interactive logon success and failure). Which change should you make to the data collection rule (DCR) that sends Windows Security logs to your Sentinel workspace?

  • Add a transformation clause to the DCR that filters the Security channel to EventID 4624 or 4625 before the data is sent.

  • Change the DCR stream type to Microsoft-Sentinel-WindowsSecurityFiltered.

  • Configure the Security channel in the DCR as a Basic Log destination instead of an Analytics Log.

  • Enable mapping to the CommonSecurityLog table in the DCR destinations section.

Microsoft Security Operations Analyst Associate SC-200
Manage a security operations environment
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot