ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 4 question 18 discussion

Actual exam question from Microsoft's SC-200
Question #: 18
Topic #: 4
[All SC-200 Questions]

You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace.

You need to create a KQL query that will combine data from the following sources:

• Microsoft Graph
• Risky users detected by using Microsoft Entra ID Protection

The solution must minimize the volume of data returned.

How should the query start?

  • A.
  • B.
  • C.
  • D.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by rkrau at Jan. 30, 2025, 7:04 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Adel614
1 month, 3 weeks ago
Selected Answer: B
The second option is correct. Indeed, "join" is by default "innerunique" which is more optimal than "leftouter" (Answer A). Ref: https://learn.microsoft.com/en-us/kusto/query/join-operator?view=microsoft-fabric#returns Therefore, B is the more optimal choice.
upvoted 2 times
...
Optimizor_IT
2 months, 1 week ago
Selected Answer: B
A: Returns all Graph rows, even non-risky, increasing volume—doesn’t minimize effectively. B: Returns only rows where Graph activity matches risky users—minimizes volume. C: Wrong table (AADUserRiskEvents vs. AADRiskyUsers)—misses “risky users” requirement D: Wrong table (AADUserRiskEvents) and inefficient—doesn’t minimize data. My answer: B
upvoted 2 times
...
Blasty
3 months, 3 weeks ago
Selected Answer: A
Why lookup kind=leftouter? lookup is more efficient than join when you have a small reference table (like a list of risky users). lookup kind=leftouter ensures that only relevant columns are added without duplicating redundant rows from the large table (MicrosoftGraphActivityLogs). This minimizes the amount of data returned, which is exactly what is required
upvoted 2 times
...
rkrau
4 months, 2 weeks ago
Selected Answer: D
A = Ensures you get a comprehensive view of all activity logs, with additional information about risky users where available. B = Needs to minimize the volume of data returned, additional filters like limit 1000. D = This way, you can analyze the activities of users flagged with risk events and gain insights into their behavior. I would say D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel