Exam SC-200 Topic 3 Question 22 Discussion

Explanation:

According to Microsoft Sentinel documentation, Hunting is a proactive feature that allows analysts to query raw security data for indicators of compromise (IoCs), suspicious patterns, and potential threats. When an analyst needs to query for suspicious credential acces s activities , they should use the Hunting page in the Microsoft Sentinel portal.
The correct sequence is as follows:
* From Azure Sentinel, select Hunting. This step opens the Hunting dashboard, which provides access to all prebuilt and custom hunting querie s. Each query corresponds to specific tactics and techniques aligned with the MITRE ATT & CK framework .
* Filter by tactics. Since the goal is to find suspicious credential access , you should filter the hunting queries by the Credential Access tactic. This nar rows the view to only the queries related to credential theft or misuse activities.
* Select Run All Queries. Once filtered, running all relevant hunting queries executes them against your connected data sources (e.g., Defender for Endpoint, Azure AD logs, e tc.) to identify suspicious credential activity patterns.
Why not the other options?
* Select New Query is used to create a custom hunting query, not to search existing suspicious credential access detections.
* From Azure Sentinel, select Notebooks is for adv anced visualization and correlation using Jupyter, not for tactical hunting queries.
Final Correct Sequence:
## From Azure Sentinel, select Hunting
## Filter by tactics
## Select Run All Queries