SC-200 Certification Practice Question #243

Question

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. WS1 has the Azure Activity connector and the Microsoft Entra ID connector configured.

You need to investigate which accounts have the most alerts and any corresponding incident information for each alert. The solution must minimize administrative effort.

What should you do first in WS1?

Accepted Answer

The task is to find which accounts have the most alerts plus the corresponding incident information with minimal effort, and the keyword is "first." Microsoft Sentinel's UEBA must be enabled before any UEBA-driven investigation, and once enabled the built-in UEBA Essentials/workbook surfaces top risky users with their anomalies and attached incidents — exactly the alert-per-account + incident view requested, with no custom rule building. The Suggested Answer, the Most Voted (5), and the highly-voted Dabinlo comment all select B. Option A is the action UEBA enables but presupposes it is already on, so the correct "first" step is enabling it. Confidence is high but trimmed slightly below 92 because A is a close conceptual distractor and the vote count is modest.

More SC-200 practice questions