SC-200 Certification Practice Question #105

Question

Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant.
Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription.
You deploy Azure Sentinel to a new Azure subscription.
You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Accepted Answer

To hunt across Log Analytics workspaces in multiple subscriptions of the same tenant you need two things, and MS Learn states both explicitly. First (B), the query itself must federate the workspaces using the KQL `union` operator together with the `workspace()` expression — the documented pattern for cross-workspace queries. Second (E), Microsoft Sentinel must be deployed/enabled on every workspace referenced in a hunting query: the docs say "You must deploy Microsoft Sentinel on every workspace referenced in the query," which maps to "Add the Azure Sentinel solution to each workspace." Option A only ingests Windows security events (already stored) and doesn't enable federation; option C's "alias statement" and option D's "resource expression/alias operator" are not the cross-workspace mechanism. B+E is the 12-vote community pick and is directly supported by the extend-Sentinel doc; the lone "E" suggested answer is a partial of the same correct pair. Confidence is 86% rather than higher because the official suggested answer only displays one letter and a vocal minority pushed A+B, but the documentation requirement to deploy Sentinel on every referenced workspace clearly favors E over A.

More SC-200 practice questions