SC-200 Certification Practice Question #17

Question

You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.
What should you do to route events to the SIEM solution?

Accepted Answer

Near-real-time delivery to a non-Microsoft SIEM requires streaming, and Microsoft's documented destination for that is an Azure Event Hub configured via Azure AD / Entra Diagnostic settings. Diagnostic settings → storage account (D) only archives data and isn't real-time, while the Sentinel options (A/C) route into Microsoft's own SIEM rather than the third-party tool the question specifies. Suggested, Most Voted, two strong comments (17 and 4 👍), and MS Learn all converge on B.

More SC-200 practice questions