ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 44 discussion

Actual exam question from Microsoft's SC-200
Question #: 44
Topic #: 1
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

You need to identify LDAP requests by AD DS users to enumerate AD DS objects.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Fez786 at Sept. 9, 2023, 6:14 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
trashbox
Highly Voted 1 year, 8 months ago
1. IdentityQueryEvents When considering a table with AccountSid and it's about the LDAP request, it is "IdentityQueryEvents." 2. isnotempty For determining whether there is a value in the AccountSid, it is "isnotempty."
upvoted 13 times
Nikki0222
7 months, 2 weeks ago
Correct
upvoted 1 times
...
...
Rand0mConsultant
Highly Voted 11 months, 2 weeks ago
On Exam 25/06/2024
upvoted 6 times
...
smanzana
Most Recent 1 year, 6 months ago
IdentityQueryEvents isnotempty
upvoted 1 times
...
jamclash
1 year, 8 months ago
in exam 9/20/23
upvoted 4 times
...
a311
1 year, 8 months ago
Correct answer (tested): IdentityQueryEvents | where isnotempty(AccountSid) "has" syntax requires a column (ref. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/has-operator#syntax) while "isnotempty" can follow a "where" (ref. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/isnotemptyfunction#example)
upvoted 4 times
...
mali1969
1 year, 9 months ago
IdentityQueryEvent | where has (AccountSid) To identify LDAP requests by AD DS users to enumerate AD DS objects, you need to use the IdentityQueryEvent table, which contains information about LDAP queries performed by users or applications. You also need to use the has operator, which checks if a string field contains a specified substring. Finally, you need to filter by the AccountSid column, which contains the security identifier (SID) of the user or application that performed the query
upvoted 1 times
mali1969
1 year, 9 months ago
pls confirm 2nd option either has or isnotempty
upvoted 1 times
hovlund
1 year, 8 months ago
Isnotempty is correct, verify here: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/isnotemptyfunction. it checks if there is a value. Where "has" compares a value, and there is no value to compare, it is only checking if there is a value in general
upvoted 1 times
...
...
...
Fez786
1 year, 9 months ago
This new question arrived today 9th september 2023. Can someone please verify the correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel