ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 49 discussion

Actual exam question from Microsoft's SC-200
Question #: 49
Topic #: 1
[All SC-200 Questions]

HOTSPOT
-

Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

You need to identify all the interactive authentication attempts by the users in the finance department of your company.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Fez786 at Sept. 9, 2023, 6:24 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cris_exam
Highly Voted 1 year, 9 months ago
Yes, I agree too. IdentityInfo => to get Department and AccountObjectId https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table?view=o365-worldwide and IdentityLogonEvents => for the interactive singings.
upvoted 12 times
Nikki0222
8 months, 4 weeks ago
Correct
upvoted 1 times
...
cris_exam
1 year, 9 months ago
IdentityLogonEvents => https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide
upvoted 2 times
...
...
Adam7777
Most Recent 9 months, 1 week ago
IdentityInfo SigninLogs. (because it primarily logs interactive sign-ins) Identitylogonevents logs every logon event including interactive signing for efficiency of the query, SigninLogs should be used.
upvoted 1 times
...
DanielMDC
1 year, 6 months ago
Could someone please explain why SinginLogs in incorrect?
upvoted 2 times
BtwIdonno
10 months, 2 weeks ago
I think it is because SigninLogs in not in the Schema. There is no such table.
upvoted 2 times
...
jinxie
1 year, 5 months ago
Signinlogs contains both interactive and non interactive logon events. In this case they specifically want to have interactive logon events hence the Identitylogonevents which only contains those.
upvoted 7 times
c3fb529
10 months, 3 weeks ago
Not true. SignInLogs are only interactive sign ins to Entra. Entra logs non interactive sign ins to AADNonInteractiveUserSignInLogs. However, I can't see "AccountObjectID" in the SignInLogs table. But it definitely exists in IdentityLogonEvents table (which I gather is the AD DS version of SignInLogs).
upvoted 3 times
...
...
...
smanzana
1 year, 8 months ago
IdentityInfo IdentityLogonEvents
upvoted 1 times
...
chepeerick
1 year, 8 months ago
Options correct he IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through you
upvoted 1 times
...
danb67
1 year, 9 months ago
Identity info for the department column and and Identitylogonevents for the the AccountObjectID column so answer is correct
upvoted 1 times
...
ant0b1
1 year, 10 months ago
The answer is correct. IdentityInfo and IdentityLogonEvents For IdentityLogonEvents the documentation show the AccountObjectId field https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide
upvoted 4 times
Anil0512
1 year, 9 months ago
i go with you.
upvoted 1 times
...
...
mali1969
1 year, 10 months ago
IdentityInfo | where Department == 'Finance' | project-rename objid = AccountObjectId | join SigninLogs on $left.objid == $right.AccountObjectID
upvoted 1 times
...
Fez786
1 year, 10 months ago
This new question arrived today 9th september 2023. Can someone please verify the correct answer?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel