SC-200 Certification Practice Question #195

Question

You have a Microsoft Sentinel workspace that contains the following Advanced Security Information Model (ASIM) parsers:

•	_Im_ProcessCreate
•	imProcessCreate

You create a new source-specific parser named vimProcessCreate.

You need to modify the parsers to meet the following requirements:

•	Call all the ProcessCreate parsers.
•	Standardize fields to the Process schema.

Which parser should you modify to meet each requirement? To answer, drag the appropriate parsers to the correct requirements.

Each parser may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Accepted Answer

ASIM has unifying parsers (which `union` all source-specific parsers) and source-specific parsers (which do the actual normalization). Because the scenario adds a new custom workspace parser, `vimProcessCreate`, the documentation is explicit that you add a custom parser to the **workspace-deployed** unifying parser — named `imProcessCreate` (the `_Im_ProcessCreate` variant is the built-in unifying parser, not the one you edit to register a workspace `vim*` parser). So "Call all the ProcessCreate parsers" → modify `imProcessCreate`. The "Standardize fields to the Process schema" requirement is the job of the source-specific parser that maps the raw source events to the Process schema; that is your new `vimProcessCreate`. This matches the best-reasoned comments (Tuitor01 6/4 👍 reasoning, rkrau). Confidence is deliberately below 75 because the community is genuinely split: the single highest-voted comment (g_man_rap, 6 👍) instead pairs `_Im_ProcessCreate` with the standardization row, and several commenters disagree on which of the two unifying parsers ("`_Im_`" built-in vs "`im`" workspace) the question intends — the answer hinges on the question's "you created a new... parser" framing pointing to the workspace/custom layer.

More SC-200 practice questions