Microsoft Security Operations Analyst — Question 108

You have a Microsoft Sentinel workspace.

You investigate an incident that has the following entities:
• A user account named User1
• An IP address of 192.168.10.200
• An Azure virtual machine named VM1
• An on-premises server named Server1

You need to label an entity as an indicator of compromise (IoC) directly by using the incidents page.

Which entity can you label?

Answer options

• A. 192.168.10.200
• B. VM1
• C. Server1
• D. User1

Correct answer: A

Explanation

The correct answer is A, 192.168.10.200, because IP addresses can be directly labeled as indicators of compromise in Microsoft Sentinel. The other entities, while potentially relevant in an incident investigation, cannot be directly labeled as IoCs on the incidents page.