ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 6 question 6 discussion

Actual exam question from Microsoft's SC-200
Question #: 6
Topic #: 6
[All SC-200 Questions]

HOTSPOT -

You have an Azure subscription that contains a Log Analytics workspace named Workspace1.

You configure Azure activity logs and Microsoft Entra ID logs to be forwarded to Workspace1.

You need to identify which Azure resources have been queried or modified by risky users.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by kukuliquid at May 14, 2024, 1:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kukuliquid
Highly Voted 1 year, 1 month ago
IMO, but i can be wrong 1. Should be MicrosoftGraphActivityLog 2. Should be (parse_url(RequestUri).Path) Explanation Below: Why MicrosoftGraphActivityLog ? We are looking for Azure Resource queried or modified. Microsoft Graph Activity Logs provide details of API requests made to Microsoft Graph for resources in the tenant. Why Parse_url ? By elimination: path_path > SourceSystem - that belongs to Azure Activity does not make sense The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics Parse_xml(ATContent) is nowhere to be found. Apparently in AADRiskeyUser but "reserved for future use" Thus we have Parse_url(RequestUri).Path It belongs to MicrosoftGraphActivityLogs It makes sense with the regex we can find after that looks like to contain v1.0', which looks like graph API url.
upvoted 8 times
trut_hz
5 months, 1 week ago
Azure Monitor for the first one because The AADRiskyUsers table in Azure Monitor Logs contains data generated by Azure Active Directory (Azure AD) Identity Protection for risky users. This table includes information such as the user's risk level, risk state, and the details of the detected risk. MICROSOFT LEARN Key Columns in the AADRiskyUsers Table: Id: Unique ID of the user at risk. UserPrincipalName: Risky user principal name. RiskLevel: Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue. RiskState: State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. RiskDetail: Details of the detected risk. RiskLastUpdatedDateTime: The date and time that the risky user was last updated. URI for the 2nd one.
upvoted 1 times
...
...
user636
Highly Voted 9 months, 4 weeks ago
The answer is: MicrosoftGraphActivityLogs in the first dropdown parse_url(RequestUri).path) in the second dropdown Explanation: The MicrosoftGraphActivityLogs table contains the columns names (UserId, RequestUri, RequestMethod ) used in the KQL. Ref: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs AzureActivity table does not contain the column names mentioned in the KQL. I've checked in actual Sentinel logs.
upvoted 6 times
talosDevbot
8 months, 2 weeks ago
First hint would be to look at the "join AADRiskyUsers on $left.UserID==$right.Id" line. UserID exist in the "MicrosoftGraphActivityLogs" table, not in the AzureActivity table. If we're looking for activity that resemble the query or modification of Azure resources, the RequestUri field is very informative
upvoted 2 times
OneplusOne
3 weeks, 5 days ago
Also, parsing the AzureActivity ResourcePath like this would make it less readable; - Before: subscriptions/123/resourceGroups/TestGroup/providers/Microsoft.Compute/virtualMachines/TestVM/start - After: subscriptions123resourceGroupsTestGroupprovidersMicrosoft.ComputevirtualMachinesTestVMstart
upvoted 1 times
...
...
...
HAjouz
Most Recent 3 months, 3 weeks ago
Azureactivity Logs and URL - Azure activity logs focus on subscription-level events, such as resource modifications and virtual machine operation
upvoted 1 times
...
HAjouz
6 months, 1 week ago
UserRiskEvents | join AADRiskyUsers on $left.UserId == $right.Id | extend resourcePath = replace_string(replace_string(replace_regex(tostring( // Select the correct option here: parse_url(RequestUri).Path ), @'(\/)+','/'), 'v1.0/',''), 'beta', '') | summarize RequestCount=dcount(RequestId) by UserId, RiskState, resourcePath, RequestMethod, ResponseStatusCode
upvoted 2 times
...
g_man_rap
10 months ago
First Drop-down (Log Source): Select: AzureActivity Reason: AzureActivity contains logs of activities performed on Azure resources, which is where you would track queries or modifications made by risky users. Second Drop-down (Parsing Method): Select: parse_url(RequestUri).Path Reason: The RequestUri field typically contains the URL that was accessed or modified. Using parse_url(RequestUri).Path allows you to extract the specific path of the resource that was queried or modified, which is necessary for identifying the exact resource.
upvoted 2 times
...
shdwktn
10 months, 3 weeks ago
Seems like its AzureActivity and parse_url(ResourceUri).Path) https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parse-url-function
upvoted 2 times
...
smosmo
1 year ago
1. Must be Azure Activity Log (has OperationName and Activity Status) 2. parse_url (other do not make sense)
upvoted 1 times
...
laddu001
1 year, 1 month ago
// Retrieve Azure activity logs AzureActivity | where TimeGenerated >= ago(30d) // Adjust the time range as necessary | join kind=inner ( // Retrieve risk user information AADRiskUsers | where RiskState == "AtRisk" ) on $left.Caller == $right.UserPrincipalName | extend resourcePath = replace_string(replace_string(tostring(parse_url(ResourceUri).Path), "/", ""), ":", "") | summarize RequestCount=dcount(RequestId) by UserPrincipalName, RiskState, resourcePath, OperationName, ActivityStatus | project UserPrincipalName, RiskState, resourcePath, OperationName, ActivityStatus, RequestCount
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel