Gain insights into configuring Windows Security event logs for Azure Sentinel. Learn how to capture a full user audit trail while minimizing event volume and administrative effort.
Table of Contents
Question
You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 100 virtual machines that run Windows Server.
You need to configure the collection of Windows Security event logs for ingestion to WS1. The solution must meet the following requirements:
- Capture a full user audit trail including user sign-in and user sign-out events.
- Minimize the volume of events.
- Minimize administrative effort.
Which event set should you select?
A. Minimal
B. Common
C. All events
D. Custom
Answer
B. Common
Explanation
The Common event set in Azure Sentinel includes events that are related to user sign-in and sign-out activities, which fulfills the requirement of capturing a full user audit trail. It also minimizes the volume of events compared to the All Events option, thus meeting the requirement to minimize the volume of events. Lastly, selecting a predefined event set like Common minimizes administrative effort compared to a Custom event set, which would require manual configuration of the events to be collected.
Microsoft SC-200 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft SC-200 exam and earn Microsoft SC-200 certification.