To support excluding built-in source-specific parsers, ASIM uses a watchlist.
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers#set-up-your-workspace
ChatGTP:
✅ Correct answer: B. a watchlist
🧾 Explanation:
To exclude a built-in, source-specific ASIM parser from a unified ASIM parser in Microsoft Sentinel, the recommended approach is to:
👉 Use a Watchlist
Microsoft Sentinel uses watchlists to provide custom inclusion/exclusion logic for various features, including ASIM parsers.
You can create a watchlist that lists the parsers you want to exclude, and then reference that watchlist in custom ASIM logic or configurations.
To support excluding built-in source-specific parsers, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the Microsoft Sentinel GitHub repository.
To define source type for built-in and custom parsers, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the Microsoft Sentinel GitHub repository.
Answer B
To modify an existing, built-in source-specific parser:
1 Create a custom parser based on the original parser and add it to the built-in parser.
2 Add a record to the ASim Disabled Parsers watchlist.
3 Define the CallerContext value as Exclude<parser name>, where <parser name> is the name of the unifying parsers you want to exclude the parser from.
4 Define the SourceSpecificParser value Exclude<parser name>, where <parser name>is the name of the parser you want to exclude, without a version specifier.
(From: https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers)
A. an analytic rule
An analytic rule allows you to specify the conditions under which data is collected and analyzed. By creating an analytic rule in Workspace1, you can exclude a built-in, source-specific ASIM parser from a built-in unified ASIM parser by specifying conditions that exclude the data generated by that parser.
For example, you could create an analytic rule that filters out all events generated by the built-in, source-specific parser you want to exclude, by using the "where" clause, this way the unified parser will not process the events generated by that source-specific parser.
While the other options (B, C, D) are useful for different purposes, but none of them can be used to exclude a specific parser from a unified parser.
To support excluding built-in source-specific parsers, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the Microsoft Sentinel GitHub repository.
From one of the above links provided.
This section is not available anymore. Please use the main Exam Page.SC-200 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 1 year, 9 months agopalito1980
Highly Voted 1 year, 9 months agoa_kto_to
Most Recent 1 week agoaks_exam
6 months agoMurtuza
10 months, 1 week agochepeerick
11 months, 3 weeks agochepeerick
1 year agoJoeP1
1 year, 2 months agobillo79152718
1 year, 4 months agoaltecer
1 year, 8 months agoeddz25
1 year, 9 months agoyoton
1 year, 8 months ago789sv
1 year, 4 months ago