ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 83 discussion

Actual exam question from Microsoft's SC-200
Question #: 83
Topic #: 3
[All SC-200 Questions]

HOTSPOT
-

You have an Azure subscription that contains the following resources:

• A virtual machine named VM1 that runs Windows Server
• A Microsoft Sentinel workspace named Sentinel1 that has User and Entity Behavior Analytics (UEBA) enabled

You have a scheduled query rule named Rule1 that tracks sign-in attempts to VM1.

You need to update Rule1 to detect when a user from outside the IT department of your company signs in to VM1. The solution must meet the following requirements:

• Utilize UEBA results.
• Maximize query performance.
• Minimize the number of false positives.

How should you complete the rule definition? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Fez786 at Sept. 9, 2023, 7:03 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 1 year, 9 months ago
Correct answer https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#ueba-enrichments The IdentityInfo table is where identity information synchronized to UEBA from Azure Active Directory (and from on-premises Active Directory via Microsoft Defender for Identity) is stored. In the question it's trying to join 2 tables using AccountSID with the $left and $right corresponding to respective tables SecurityEvent | where EventID in ("4624","4672") | where Computer == "My.High.Value.Asset" | join kind=inner ( IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.SubjectUserSid == $right.AccountSID | where Department != "IT" https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-in-your-analytics-rules-public-preview
upvoted 9 times
...
smanzana
Most Recent 11 months, 2 weeks ago
Inner Identityinfo
upvoted 1 times
...
ostralo
1 year, 3 months ago
IdentityInfo table has Department info. After you enable UEBA for your Microsoft Sentinel workspace, data from your Microsoft Entra ID is synchronized to the IdentityInfo table in Log Analytics for use in Microsoft Sentinel.
upvoted 2 times
...
chepeerick
1 year, 8 months ago
Correct option
upvoted 2 times
...
Anil0512
1 year, 8 months ago
Tested. Inner Identityinfo
upvoted 2 times
...
Nabbo92
1 year, 10 months ago
Inner and BehaviorAnalytics. "The BehaviorAnalytics table is where UEBA's output information is stored." https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference.
upvoted 3 times
Studytime2023
11 months, 2 weeks ago
If you use this link: https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#identityinfo-table You will see the table columns match: | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.SubjectUserSid == $right.AccountSID | where Department != "IT" If you use this link: https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference#behavioranalytics-table you will see those columns don't match.
upvoted 3 times
...
danb67
1 year, 8 months ago
Nope there is no Department column in the BehaviorAnalytics table
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel