Exam SC-200 topic 6 question 6 discussion

IMO, but i can be wrong 1. Should be MicrosoftGraphActivityLog 2. Should be (parse_url(RequestUri).Path) Explanation Below: Why MicrosoftGraphActivityLog ? We are looking for Azure Resource queried or modified. Microsoft Graph Activity Logs provide details of API requests made to Microsoft Graph for resources in the tenant. Why Parse_url ? By elimination: path_path > SourceSystem - that belongs to Azure Activity does not make sense The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics Parse_xml(ATContent) is nowhere to be found. Apparently in AADRiskeyUser but "reserved for future use" Thus we have Parse_url(RequestUri).Path It belongs to MicrosoftGraphActivityLogs It makes sense with the regex we can find after that looks like to contain v1.0', which looks like graph API url.

The answer is: MicrosoftGraphActivityLogs in the first dropdown parse_url(RequestUri).path) in the second dropdown Explanation: The MicrosoftGraphActivityLogs table contains the columns names (UserId, RequestUri, RequestMethod ) used in the KQL. Ref: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/microsoftgraphactivitylogs AzureActivity table does not contain the column names mentioned in the KQL. I've checked in actual Sentinel logs.

Azureactivity Logs and URL - Azure activity logs focus on subscription-level events, such as resource modifications and virtual machine operation

UserRiskEvents | join AADRiskyUsers on $left.UserId == $right.Id | extend resourcePath = replace_string(replace_string(replace_regex(tostring( // Select the correct option here: parse_url(RequestUri).Path ), @'(\/)+','/'), 'v1.0/',''), 'beta', '') | summarize RequestCount=dcount(RequestId) by UserId, RiskState, resourcePath, RequestMethod, ResponseStatusCode

First Drop-down (Log Source): Select: AzureActivity Reason: AzureActivity contains logs of activities performed on Azure resources, which is where you would track queries or modifications made by risky users. Second Drop-down (Parsing Method): Select: parse_url(RequestUri).Path Reason: The RequestUri field typically contains the URL that was accessed or modified. Using parse_url(RequestUri).Path allows you to extract the specific path of the resource that was queried or modified, which is necessary for identifying the exact resource.

Seems like its AzureActivity and parse_url(ResourceUri).Path) https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parse-url-function

1. Must be Azure Activity Log (has OperationName and Activity Status) 2. parse_url (other do not make sense)

// Retrieve Azure activity logs AzureActivity | where TimeGenerated >= ago(30d) // Adjust the time range as necessary | join kind=inner ( // Retrieve risk user information AADRiskUsers | where RiskState == "AtRisk" ) on $left.Caller == $right.UserPrincipalName | extend resourcePath = replace_string(replace_string(tostring(parse_url(ResourceUri).Path), "/", ""), ":", "") | summarize RequestCount=dcount(RequestId) by UserPrincipalName, RiskState, resourcePath, OperationName, ActivityStatus | project UserPrincipalName, RiskState, resourcePath, OperationName, ActivityStatus, RequestCount