SC-100 Certification Practice Question #184

Question

You have 1,000 on-premises servers that run Linux.

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 1,000 virtual machines that run Linux.

All the on-premises Linux servers are onboarded to Azure Arc.

You plan to collect Common Event Format (CEF) logs by using the Azure Monitor Agent connector in Microsoft Sentinel.

You need to design a solution for collecting specific events from the logs. The solution must meet the following requirements:

•	Minimize the number of Microsoft Entra ID identities required.
•	Minimize the number of events delivered to WS1.
•	Ensure that all the required events are ingested.
•	Minimize administrative effort.

What should you include in the solution? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

Accepted Answer

Two requirements drive the answer. To minimize events delivered to WS1 while still ingesting all required events, you must filter *before* ingestion — Data Collection Rules apply facility/log-level filters at the agent, exactly matching the CEF-via-AMA design. Sentinel scheduled query rules act on data already in the workspace (too late, doesn't reduce ingestion), and a daily cap would drop events, violating "ensure all required events are ingested." To minimize Microsoft Entra ID identities: Azure Arc-enabled servers automatically receive a system-assigned managed identity and cannot use a user-assigned MI for the Arc agent, so the 1,000 on-premises servers use system-assigned. For the 1,000 Azure VMs, a single user-assigned managed identity can be assigned to all of them, collapsing 1,000 potential system-assigned identities into one — minimizing the identity count. This split (system-assigned on-prem, user-assigned Azure VMs) is the Suggested Answer and is backed by the highest-voted comment (3bb422b, 4 👍).

More SC-100 practice questions