Microsoft Security Operations Analyst Associate SC-200 Practice Question
You have installed the Azure Monitor Agent (AMA) on 100 Azure virtual machines and onboarded the machines to Microsoft Sentinel. To minimize ingestion costs, you must collect only Windows Security events with Event IDs 4624 and 4625 (interactive logon success and failure). Which change should you make to the data collection rule (DCR) that sends Windows Security logs to your Sentinel workspace?
Enable mapping to the CommonSecurityLog table in the DCR destinations section.
Configure the Security channel in the DCR as a Basic Log destination instead of an Analytics Log.
Change the DCR stream type to Microsoft-Sentinel-WindowsSecurityFiltered.
Add a transformation clause to the DCR that filters the Security channel to EventID 4624 or 4625 before the data is sent.
In an AMA-based data collection rule, you can filter and transform incoming data before it is sent to the Log Analytics workspace. By adding a Kusto Query Language (KQL) transformation to the DCR, you can specify that only records from the Security channel whose EventID is 4624 or 4625 are forwarded. This prevents all other Security events from being ingested, reducing data volume and therefore cost.
The other choices do not meet the requirement:
Mapping data to the CommonSecurityLog table is relevant to CEF/Syslog connectors, not Windows event logs collected by AMA.
There is no built-in stream type called Microsoft-Sentinel-WindowsSecurityFiltered; stream names are predefined (for example, Microsoft-WindowsEvent).
Sending the Security log to a Basic Log destination would still ingest every record from the channel and would not filter by Event ID.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Data Collection Rule (DCR) in Azure Monitor?
Open an interactive chat with Bash
What is a transformation clause in DCR?
Open an interactive chat with Bash
How does filtering data with KQL improve cost-efficiency?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage a security operations environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .