Exam SC-200 topic 8 question 3 discussion

CloudAppEvents doesn't have the FolderPath column, so it's probably DeviceFileEvents: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide

users hunting through file-related activities in cloud services should use the CloudAppEvents table instead [Column name: ActivityObjects - List of objects, such as files or folders, that were involved in the recorded activity] https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide

as usual outdated question with outdated answers DeviceFileEvents is the answer

Folderpath column not in cloudappevents. https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857 article published 2020 https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide article updated 11/2023 so will go with AppFileEvents.

Query is wrong. Neither of the 3 tables listed has the 4 columns required. 4 columns required are FileName, FolderPath, ActionType, AccountDisplayname. Check this for yourself. DeviceProcessEvents comes closest. That has FileName, FolderPath, ActionType and 'acccountname' columns I think there are errors in the given query

DeviceFileEvents & Count

Correct cloudappevents does not have the needed columns.

It's: DeviceFileEvents count() - CloudAppEvents ○ The CloudAppEvents table in the advanced hunting schema contains information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps ○ CloudAppEvents does not have FileName and FolderPath - DeviceFileEvents ○ The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification, and other file system events - DeviceProcessEvents The DeviceProcessEvents table in the advanced hunting schema contains information about process creation and related events.

Answers are correct: CloudAppEvents | where timeStamp > ago(2d) | where ActionType in ("Data Access", "Data Download", "Data Deletion") | summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName | where activityCount > 5

DeviceFileEvents Timestamp FileName FolderPath Count() https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide CloudAppEvents does not have FileName and FolderPath

These should be the right query since FolderPath and FileName don't exist in CloudAppEvents. CloudAppEvents | where Timestamp > ago(2d) | summarize activityCount = count() by ObjectName, ActionType, AccountDisplayName | where activityCount > 5

It is correct answer. first answer : CloudAppEvents --> Yes Events involving accounts and objects in Office 365 and other cloud apps and services DeviceFileEvents --> No because it doesn't have involving accounts. File creation, modification, and other file system events From <https://docs.microsoft.com/en-us/learn/modules/query-logs-azure-sentinel/5-understand-microsoft-365-defender-tables> Second answer : count

Nevermind my last comment

So it says 'where timestamp > ago (2d)' and we're looking for events in the last 48h ? Doesn't look right does it? Shouldn't it be 'where timestamp < ago (2d)?

Answer is correct : CloudAppEvents and count "The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021. Activities involving these applications, including file activities, will be recorded in the new CloudAppEvents table."

Cloud app events + Count

In modern environment none of this answers are correct.