SC-200 Certification Practice Question #124

Question

You have a Microsoft Sentinel workspace.

You have a query named Query1 as shown in the following exhibit.

You plan to create a custom parser named Parser1.

You need to use Query1 in Parser1.

What should you do first?

Accepted Answer

Line 2 is `| where TimeGenerated > ago(7h)` — a hard-coded time filter. Microsoft Learn is explicit that an ASIM/custom parser "should not filter by time" because the query that calls the parser applies its own time range; baking a time window into the parser breaks reuse. The Suggested Answer, the 21-vote community pick, and both Highly Voted comments all converge on B, matching the MS Learn guidance. The dissenting A camp correctly notes that `sort` (line 5) is also discouraged in a parser, but a stray `sort` is a presentation nuance, not the blocker the question asks you to fix "first"; the time predicate is the documented disqualifier, so B wins.

More SC-200 practice questions