ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 5 question 19 discussion

Actual exam question from Microsoft's SC-200
Question #: 19
Topic #: 5
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You have a Microsoft Sentinel workspace.

Microsoft Sentinel connectors are configured as shown in the following table.



You use Microsoft Sentinel to investigate suspicious Microsoft Graph API activity related to Conditional Access policies.

You need to search for the following activities:

• Downloads of the Conditional Access policies by using PowerShell
• Updates to the Conditional Access policies by using the Microsoft Entra admin center

Which tables should you query for each activity? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by rkrau at Jan. 31, 2025, 2:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Krayzr
1 week, 6 days ago
To investigate the specified activities related to Conditional Access policies in Microsoft Sentinel, you should query the following tables: Downloads of the Conditional Access policies by using PowerShell: MicrosoftGraphActivityLogs. PowerShell cmdlets used to manage or download Conditional Access policies often interact with the Microsoft Graph API. The scenario also explicitly mentions investigating "suspicious Microsoft Graph API activity." Updates to the Conditional Access policies by using the Microsoft Entra admin center: AuditLogs. Administrative actions performed through the Microsoft Entra admin center, such as updating Conditional Access policies, are recorded in the Microsoft Entra ID audit logs, which are ingested into the AuditLogs table in Microsoft Sentinel. Therefore, the correct tables to query are: Conditional Access policy downloads: MicrosoftGraphActivityLogs Conditional Access policy updates: AuditLogs
upvoted 1 times
...
OneplusOne
2 weeks ago
Answer correct. First: MicrosoftGraphActivityLogs | where RequestUri contains "/conditionalAccess/policies" Second: Officeactivity is not part of the answer so option one remains
upvoted 1 times
...
rkrau
4 months, 1 week ago
if the download was strictly via PowerShell (without Graph API calls), you would be better off querying SecurityEvent or AuditLogs instead.
upvoted 2 times
Onimole
2 months, 3 weeks ago
answer is correct then?
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel