ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 77 discussion

Actual exam question from Microsoft's SC-200
Question #: 77
Topic #: 3
[All SC-200 Questions]

HOTSPOT -

You have a Microsoft Sentinel workspace named sws1.

You need to create a query that will detect when a user creates an unusually large numbers of Azure AD user accounts.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Fez786 at Sept. 9, 2023, 7 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
blueking
Highly Voted 1 year, 7 months ago
BehaviorAnalytics AuditLogs
upvoted 19 times
Another_one
10 months, 1 week ago
BehaviorAnalytics to get ActivityInsights and UserInsights, and AuditLogs to get TargetResources
upvoted 3 times
...
...
Respen
Highly Voted 1 year, 5 months ago
1. BehaviorAnalytics - Explanation: ActivityInsights Column - Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/behavioranalytics 2. AuditLogs - Explanation: TargetResources Column - Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
upvoted 12 times
...
smanzana
Most Recent 1 year ago
1-BehaviorAnalytics 2-AuditLogs
upvoted 4 times
...
mc250616
1 year, 8 months ago
As DigitaIV already mentioned; the query only works for me if I use first BehaivorAnalytics and then Audit logs. Tested
upvoted 6 times
...
Ghost042
1 year, 9 months ago
Auditlogs, BehaviourAnalytics
upvoted 2 times
...
Kurdd
1 year, 9 months ago
Auditlogs table does not have activity insights
upvoted 1 times
...
Fez786
1 year, 9 months ago
BehaviorAnalytics, BehaviorAnalytics
upvoted 1 times
Ramye
1 year, 5 months ago
Joining the same table?
upvoted 3 times
...
...
chepeerick
1 year, 9 months ago
Correct
upvoted 1 times
...
danb67
1 year, 9 months ago
BehaviorAnalytics, BehaviorAnalytics. It's only this table has ActivityInsights and UserInsights. The userinsights column contains an array of data and this query pulls out the accountdisplayname from it and adds it to a new column named DisplayName. I am just confused as to why we are joining the same table to itself.
upvoted 3 times
danb67
1 year, 9 months ago
My guess is this query if correct, uses default join (innerunique) would mean that on the left table we will get the add user row. Then from the right table we will get details of each user created. Whereas if we didnt join the tables and just did one big query then we would get too much info back.
upvoted 2 times
...
...
DigitalV
1 year, 9 months ago
Don't ask me why but the query only works for me if I use first BehaivorAnalytics and then Audit logs
upvoted 4 times
...
donathon
1 year, 10 months ago
BehaviorAnalytics, BehaviorAnalytics for me too.
upvoted 4 times
Ramye
1 year, 5 months ago
Well, with this you would get at least 1 point - lol
upvoted 2 times
...
...
Fez786
1 year, 10 months ago
what is the correct answer? im seeing different answers from 2 users below..................
upvoted 2 times
...
Anil0512
1 year, 10 months ago
Correct answer are. BehaviourAnalytics and BehaviourAnalytics Tried and tested.
upvoted 5 times
Vika_1_111
1 year, 10 months ago
But why would you join same table?
upvoted 5 times
...
...
mali1969
1 year, 10 months ago
AuditLogs BehaviorAnalytics
upvoted 4 times
luisM14
1 year, 6 months ago
Its wrong. Test it. Its BehaviorAnalytics and AuditLogs
upvoted 2 times
...
...
Nabbo92
1 year, 10 months ago
SecurityEvents, BehaviorAnalytics
upvoted 1 times
Nabbo92
1 year, 10 months ago
BehaviorAnalytics, BehaviorAnalytics. Only that has the activityinsights column
upvoted 6 times
danb67
1 year, 9 months ago
Why would you join the same table together?
upvoted 2 times
...
a311
1 year, 10 months ago
https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#activityinsights-field
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel