Microsoft Security Operations Analyst — Question 9

You have a Microsoft Sentinel workspace named Workspace1.

You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.

What should you create in Workspace1?

Answer options

• A. an analytic rule
• B. a watchlist
• C. a workbook
• D. a hunting query

Correct answer: B

Explanation

Creating a watchlist allows you to manage and exclude specific data sources from the unified ASIM parser. The other options, such as analytic rules, workbooks, and hunting queries, do not serve the purpose of excluding parsers but rather focus on analysis and visualization of data.