SC-200 Certification Practice Question #76

Question

You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.

You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.

Which JSON key should you search?

Accepted Answer

Microsoft's alert schema documents that the `intent` property inside the alert's `properties` JSON bag holds "the kill-chain intent of the alert," with possible values drawn directly from the MITRE ATT&CK tactics/Intentions table — which lists "Privilege Escalation" as a tactic. To locate alerts indicating the Privilege Escalation tactic in a third-party SIEM, you search the `intent` JSON key (e.g., `"intent": "PrivilegeEscalation"`). The Suggested Answer, the dominant 25-vote community pick, and two high-vote comments (VictorLiu 👍21, Fcnet 👍4) all align with the MS Learn schema. A minority argued `ExtendedProperties`, but that field carries supplementary metadata rather than the canonical tactic mapping, so it is discounted. Confidence is held at 93 rather than higher only because of the persistent ExtendedProperties dissent.

More SC-200 practice questions