Microsoft Security Operations Analyst — Question 12

You have a Microsoft Sentinel workspace.

You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.

What are two ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answer options

• A. Create a hunting query that references the built-in parser.
• B. Build a custom unifying parser and include the built-in parser version.
• C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.
• D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.
• E. Create an analytics rule that includes the built-in parser.

Correct answer: B, C

Explanation

The correct answers are B and C because building a custom unifying parser allows you to control the version of the built-in parser, effectively preventing it from being updated. Redeploying the built-in parser with specific parameters ensures its version is maintained as well. The other options do not provide a method to prevent the automatic update of the parser.