SC-200 Certification Practice Question #188

Question

You have three Azure subscriptions. Each subscription contains multiple virtual machines that run Windows Server.

You have a Microsoft Sentinel workspace.

You need to ensure that failed sign-in attempts from all the virtual machines can be analyzed by using Microsoft Sentinel. The solution must minimize administrative effort.

What should you do first?

Accepted Answer

Failed Windows sign-in attempts are recorded as Security event ID 4625, which lives in the Windows Security event log. To get these into Sentinel with the least administrative effort, you install the **Windows Security Events** solution from the Content hub — it deploys the Windows Security Events via AMA connector, which uses the Azure Monitor Agent and Data Collection Rules and can be scoped across all three subscriptions from one place, landing the data in the SecurityEvent table. Per-VM event subscriptions (B) and installing the Connected Machine/Arc agent alone (C) are higher-effort and, in C's case, don't actually collect the security events. The Syslog solution (D) targets Linux/CEF sources, not Windows security events. Suggested Answer, the unanimous community vote, and MS Learn all converge on A.

More SC-200 practice questions