Exam MS-101 topic 3 question 35 discussion

Came in exam 27.07.2021

Activities to search for: Show results for all activities Field to filter by: Item I tested on my tenant.

in exam 28/6/2023

in exam 12.2.2023

Has anyone tested it?

Came on exam 30.12.2022

"Show results from all activities" does not exist anymore. ( can someone else verify pls) But if you can use wildcard " * " which pulls all activities, and then you can filter by details or Activity

Show results for all Activities/Item.

still valid, it was in my exam last Feb 5, 2022

Show results for all activities Filter by User 1) Tested and best option a) Show results for all activities b) Filter by Activity i) Activity will show "New-RoleGroup" command, but isn't an option in question ii) User is next helpful, but doesn't state you know the name of the admin(s) iii) Item is a GUID iv) Detail is blank v) IP Address is blacnk

I must be missing something here, why not filter by "user" once the search is made. The user field shows you which user did this lol..

Came in the exam 22 09 2021

Show results for all activities / details

Tested on my lab. You need to "Show results for all activities" because other options does not include the "New-TransportRule" operation. "Item" is empty, "Detail" is empty. "Users" is filled with the user who performed the action, "IP Address" is filled with the public IP of the client who performed the action (with also port 5547). So the right answer for me is "Show results for all activities" and "IP Address", matching these two information give you the user who performed the action.

As per -- https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide -- searching the audit log is a two step process: - first, you can search by activities, date, users and object(file, folder or site) - second, you filter the results - again by date, user, activity, item or detail. The two questions relate to that process: 1. "Show results for all activities" seems the only valid option to me: - Role creation is not logged in "Exchange mailbox activities" or "Site administration activities" - As per @donathon "Role administration activities" only contains add/remove member 2. "Item" seems to be the best option to me: - "User" is what we are looking for, so we cannot filter for that - "IP address" is not available in the dialog (maybe in PowerShell, I don't know - but anyway, we know only the network range, not the exact IP of the administrators machine!) - "Detail" - I have no idea what would be shown here in relation to the question. To summarize - if I get this question in the exam, I will go for "Show results for all activities" and "Item".

what is the correct answers then?

Show results for all activities and IP address. Exchange mailbox activities: Mailbox activities performed by the mailbox owner, a delegated user, or an administrator Site administration activities: Sharepoint activities. Role Role administration activities: Only has add\remove member. Hence the only option is to Show results for all activities. Did a search in SCC: Item: The object that was created or modified as a result of the corresponding activity. For example, the file that was viewed or modified or the user account that was updated. Not all activities have a value in this column. User: The user (or service account) who performed the action that triggered the event. Detail: Additional information about an activity. Again, not all activities have a value. IP address: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. Conclusion: The only option here is by IP address. Detail is mostly blank. Item only shows what was changed. User is not useful as you don’t know who that user is.