Exam SC-200 topic 1 question 7 discussion

EmailAttachmentInfo | where SenderFromAddress =~ "[email protected]" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256 ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress Already posted here https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices

The query posted on MS docs doesnt actually work (I have tested in a live tenant) - it needs to be amended to match the below before it returns results (note the requirement to add DeviceName, and DeviceId fields to the first project statement). EmailAttachmentInfo | where SenderFromAddress =~ "[email protected]" | where isnotempty(SHA256) | join ( DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress But if you choose the following from the answers presented in the question you will get the results you need to answer the question: EmailAttachmentInfo | where SenderFromAddress =~ "[email protected]" | where isnotempty(SHA256) | join ( DeviceFileEvents | extend FileName, SHA256 ) on SHA256 | project Timestamp, FileName, SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress ie Choose, Join, Extend, Project from the drop downs This has also been tested on live tenants and returns the correct result.

Join , project, project

The EmailAttachmentInfo table is selected, which contains information about email attachments. The where clause filters the attachments to only include those that were sent from the address "[email protected]" and have a non-empty SHA256 hash value. This effectively filters the results to only include attachments from the specified sender and that have a known hash value. The join operator combines the results of the previous step with the results of a second query that selects the DeviceFileEvent table and projects the FileName and SHA256 fields. This effectively creates a join between the two tables based on the SHA256 field, linking the attachments with file events on devices. The project operator selects the desired fields from the joined results and includes them in the final output.

EmailAttachmentInfo | where SenderFromAddress =~ "[email protected]" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress

Check file from a known malicious sender EmailAttachmentInfo | where SenderFromAddress =~ "[email protected]" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices

You have to use join, EXTEND, project. If you use join, project, project you get the following error 'project' operator: Failed to resolve scalar expression named 'DeviceName'

given answer is correct as you can project anything and it doesn't matter if the question doesn't have device name and device id in it as compared to Microsoft docs. The answer should still remain the same as Join, Project, Project

When clearly read this KQL hunting query.. First you get EmailAttachmentInfo based on some filters and then add second column by using Join operator (check this syntax and you will see it is clearly "Join") the other 2 is Project. You return selected entities of event table log to merge all in a table (output). I will chose Join, Project Project for my exam if I see this question in exam :)

Join, Extend, Project.

The answer provided is correct. It is also mentioned here https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices

join-extend-project —> for the answer presented for Exam Topics) or join-project-project —> if the answer were “join ( DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256” —> including “DeviceName” and “DeviceId”

join extend project

Join, Project, Project

Join, Extend, Project.

Correct Answer is 100% Join/Project/Project. This does not give error at all. Why would we use extend here? Extend is for creating calculated columns and there is no requirement for this. See https://www.examtopics.com/discussions/microsoft/view/60115-exam-sc-200-topic-1-question-17-discussion/ EmailAttachmentInfo | where isnotempty (SHA256) | join (DeviceFileEvents | project FileName, SHA256) on SHA256 | project Timestamp, NetworkMessageId, etc, etc

The correct answer is join/extend/project This case is little different from the case given in the link below https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices In this case inside join there is no DeviceName and DeviceID(in this queue), to join the column of this table we have to extend it. I tested this in live environment with join, project, project, it gives an error. Join, extend, project just says no results found and if I change the sender email address I'm getting results.