ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 7 question 34 discussion

Actual exam question from Microsoft's SC-200
Question #: 34
Topic #: 7
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You have an Azure subscription that contains a Log Analytics workspace named Workspace1.

You forward all logs to Workspace1.

You need to identify all the applications and security principals that made requests to modify Microsoft Entra groups during the previous 24 hours.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Krayzr at June 13, 2025, 9:15 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Krayzr
1 day, 18 hours ago
MicrosoftGraphActivityLogs | GET MicrosoftGraphActivityLogs | where TimeGenerated > ago(1d) | where RequestUri contains '/group' | where RequestMethod != "GET" | summarize UriCount
upvoted 1 times
Krayzr
1 day, 18 hours ago
Log Source: MicrosoftGraphActivityLogs This log source contains detailed information about Microsoft Graph API activity, which includes operations on Microsoft Entra (formerly Azure AD) groups. Request Method Filter: GET Since the goal is to identify modification requests, you want to exclude read-only operations like GET. So the correct filter is:
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel