Exam SC-200 topic 1 question 54 discussion

Actual exam question from Microsoft's SC-200

Question #: 54
Topic #: 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.

Which operator should you use?

A. search *
B. union kind = inner
C. join kind = inner
D. evaluate hint.remote =

Show Suggested Answer

Suggested Answer: B 🗳️

by hovlund at Oct. 3, 2023, 10:27 a.m.

Comments

Submit Cancel

danb67

Highly Voted 1 year, 8 months ago

A. Not correct syntax. B. Correct Answer. Union takes two or more tables and returns the rows of all of them. C. Join Kind inner will not produce every row as inner means output has one row for every combination of left and right. So only if the columns appears in both tables will we get a hit. This doesn't meet the ask. D. Evaluate in KQL calls a plugin this is not relevant to the question

upvoted 8 times

...

DChilds

Highly Voted 1 year, 1 month ago

This question was in the exam 27/04/2024.

upvoted 6 times

...

Nikki0222

Most Recent 8 months ago

B correct

upvoted 1 times

...

Porter5000

1 year, 4 months ago

Selected Answer: B

Union, because there are two or more tables that you need the rows from all tables

upvoted 2 times

...

N1oks

1 year, 7 months ago

Selected Answer: B

just could be *b*

upvoted 1 times

...

smanzana

1 year, 7 months ago

It is B

upvoted 1 times

...

chepeerick

1 year, 8 months ago

Option B

upvoted 2 times

...

hovlund

1 year, 8 months ago

Correct, Union takes Two or more tables and returns the rows of all of them: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer

upvoted 4 times

...