SC-200 Certification Practice Question #223

Question

You have a Microsoft Sentinel workspace named SW1.

In SW1, you investigate an incident that is associated with the following entities:

•	Host
•	IP address
•	User account
•	Malware name

Which entity can be labeled as an indicator of compromise (IoC) directly from the incident's page?

Accepted Answer

The incident's entities are Host, IP address, User account, and Malware name. MS Learn's incident-investigation "supported actions" table shows the **Add to TI** action (which labels an entity as an indicator of compromise) is available only for IP address, URL, Domain name, and File (hash) — and explicitly NOT for User account or Host. Of the four entities present in this incident, only the **IP address** is on the supported list, so it is the only entity that can be labeled as an IoC directly from the incident's page. The Suggested Answer, the unanimous community vote, and two source-citing comments all agree, with no credible dissent.

More SC-200 practice questions