Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

Your on-premises network contains 400 Windows Server 2022 machines that you want to monitor in Microsoft Sentinel. Only Security event IDs 4720 and 4726 must be collected, and you must not open any inbound firewall ports on the servers. You will use Azure Monitor Agent and data collection rules (DCRs). Which solution meets the requirements?

  • Stream Windows security events to an Azure Event Hub and connect Sentinel by using the Event Hub data connector.

  • Configure a source-initiated Windows Event Forwarding subscription to a dedicated collector, install Azure Monitor Agent on the collector, and create a DCR that filters event IDs 4720 and 4726 from the ForwardedEvents channel.

  • Install Azure Monitor Agent on each server and create a DCR that collects the full Security log.

  • Configure a collector-initiated Windows Event Forwarding subscription, install the legacy Microsoft Monitoring Agent on the collector, and enable the Security Events via Legacy Agent data connector.

Microsoft Security Operations Analyst Associate SC-200
Manage a security operations environment
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot