SC-200 Certification Practice Question #173

Question

Your on-premises network contains a Hyper-V cluster. The cluster contains the virtual machines shown in the following table.

You have a Microsoft Sentinel workspace named SW1.

You have a data collection rule (DCR) that has the following configurations:

•	Name: DCR1
•	Destination: SW1
•	Platform type: All
•	Data collection endpoint: None
•	Data source: Windows event logs, Linux syslog

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Accepted Answer

All three servers are on-premises (Hyper-V cluster), and MS Learn is explicit that for **Microsoft Sentinel** log collection a non-Azure/on-prem machine requires **both** the Azure Arc Connected Machine agent (to project the machine into Azure as a targetable resource the DCR can reference) **and** the Azure Monitor Agent (to actually collect Windows event logs / Linux syslog). AMA does not replace the Connected Machine agent. Checking each row: Server1 has AMA but no Arc, so it cannot be registered/added to the DCR (No); Server2 has Arc but no AMA, so nothing collects the events (No); Server3 (Linux) has AMA but no Arc, same gap as Server1 (No). That yields N, N, N, matching fa4f3ef's two highest-voted comments (👍 4 and 👍 3). Confidence is 78% because there is no official Suggested/Most-Voted answer and the community genuinely splits three ways (YNY / NYN / NNN); the NYN view (c03bf14) is the strongest dissent — it relies on AMA being bundled with the Connected Machine agent — but the machine table explicitly marks Server2's AMA as "Not installed," so without AMA present that row still fails, leaving N,N,N best supported by MS Learn.

More SC-200 practice questions