SC-200 Certification Practice Question #129

Question

You have a Microsoft Sentinel workspace.

You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.

What are two ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Accepted Answer

MS Learn's "Prevent an automated update of a built-in parser" procedure has exactly two steps that map to the answer: (1) add the specific built-in parser version to a custom unifying parser — answer B — and (2) add a watchlist exclusion record with `Any` in both the CallerContext and SourceSpecificParser fields to opt the built-in parser out of automatic updates — answer C. Each is a complete solution on its own per the doc. The competing BE answer leans on the Microsoft Practice Assessment, but option E (creating an analytics rule that includes the parser) only uses the parser and provides no mechanism to freeze its version, so it does not satisfy the goal; D specifies "Built-in" rather than the documented "Any" value. Confidence is held at 80% because the official Practice Assessment reportedly answers BE, creating a genuine Suggested/assessment-vs-community conflict, but the live documentation clearly supports BC and the largest single vote bloc (30) backs BC.

More SC-200 practice questions