Free Microsoft SC-200 Security Operations Analyst Actual Exam Questions - Question 3 Discussion
HOTSPOT You need to implement the ASIM query for DNS requests. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer are a. 
Option A matches the current ASIM DNS fields syntax better than B or C.
I think option C might fit since it aligns with the latest ASIM DNS schema updates I've seen, especially on how request fields are handled. B is solid but could miss newer attributes important in Sentinel.
Option B, because ASIM simplifies DNS data handling with its standardized fields.
Option B fits best since it targets the actual DNS request events in ASIM.
I’d pick option B too because ASIM’s whole point is to unify DNS log fields, so using its standardized DNS table makes querying more reliable. Also, filtering specifically on DNS request operations aligns with how ASIM structures those logs. Other options might miss the ASIM normalization layer, which is key for consistent data analysis in Sentinel.
Option B makes sense since ASIM standardizes those DNS fields across logs.
I'd go with option B because ASIM uses its own standardized fields for DNS queries, so referencing the ASIM DNS table directly is necessary. Plus, the query should definitely filter on the DNS request operation and not just any DNS log to meet Sentinel’s requirements. Also, it makes sense to include fields like QueryName and ClientIp since those are common in ASIM's DNS schema. This approach ensures the query is both precise and compliant with Sentinel's ASIM data model.
I think the key part here is focusing on how Microsoft Sentinel collects DNS logs and processes them under ASIM. Since ASIM standardizes schemas, the query should reference the ASIM DNS table, which usually includes fields like ClientIP, QueryName, and QueryType. So, I'd choose options that align with querying the ASIM_DNS table or whatever the standardized DNS logs are called. Also, make sure any parsing or filtering uses ASIM-compatible fields to meet the requirements. This way, the query works within Sentinel’s framework without custom parsing outside ASIM.
What exactly do they mean by ASIM query here? Need more details.