Microsoft Security Operations Analyst Associate SC-200 Practice Question
You plan to reduce the number of Azure Monitor Agent (AMA) installations required to ingest Windows Security log events into a Microsoft Sentinel workspace. You decide to use Windows Event Forwarding (WEF) so that only a single Windows Event Collector (WEC) server will run AMA and forwarders will not need the agent.
After you deploy a domain-joined Windows Server as the WEC server and configure the necessary subscriptions, you create a data collection rule (DCR) that targets the WEC server and adds the ForwardedEvents channel as an event log source.
Which destination table will receive the forwarded security events in the Log Analytics workspace, and what must you do if you instead want those events to land in the SecurityEvent table?
They will be stored in the Event table; to use SecurityEvent you must forward the events into the WEC server's local Security channel and have the DCR collect from Security instead of ForwardedEvents.
They will be rejected unless you enable the CollectSecurityEvents setting in the DCR; after enabling, they go to the SecurityEvent table by default.
They will be stored in the SecurityEvent table automatically; no additional configuration is required because AMA detects forwarded security events.
They will be written to a new ForwardedSecurityEvent table; you must enable the Sentinel Ingestion mapping feature to redirect them to SecurityEvent.
When a DCR that uses the Azure Monitor Agent collects events from the ForwardedEvents channel, the events are written to the Event table because Azure Monitor treats ForwardedEvents like any other custom Windows event log. SecurityEvent is reserved for events collected directly from the local Security channel. To have forwarded security events land in SecurityEvent, you must configure the WEC server to write the incoming events to its local Security channel (for example by using a source-initiated subscription that sets the DestinationLog to Security) and update the DCR to collect from the Security channel instead of ForwardedEvents.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Event Forwarding (WEF) and how does it work?
Open an interactive chat with Bash
What is the ForwardedEvents channel in Windows Event Logs?
Open an interactive chat with Bash
What is a Data Collection Rule (DCR) in the context of Azure Monitor Agent (AMA)?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage a security operations environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .