ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 17 discussion

Actual exam question from Microsoft's SC-200
Question #: 17
Topic #: 1
[All SC-200 Questions]

HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel.
You need to identify all the devices that contain files in emails sent by a known malicious email sender. The query will be based on the match of the SHA256 hash.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
by HSBNZ at Aug. 21, 2021, 6:50 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
HSBNZ
Highly Voted 3 years, 10 months ago
Correct answer as per the link, EmailAttachmentInfo | where SenderFromAddress =~ "[email protected]" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
upvoted 40 times
Metasploit
2 years, 8 months ago
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices
upvoted 5 times
...
Ramye
1 year, 3 months ago
when I run this query given above by copy / paste in Microsoft Defender Advanced Hunting, it gives the below error: Semantic error Error message 'project' operator: Failed to resolve table or column expression named 'DeviceFileEvents' How to resolve Fix semantic errors in your query Note: not too savvy on the query builder yet but learning. How do I fix this semantic error? Thx
upvoted 1 times
...
...
Apocalypse03
Highly Voted 2 years, 6 months ago
Answer is correct. Here is a brief explanation of how this query works: The where clause filters the EmailAttachmentInfo table to only include attachments sent by the specified sender and that have a non-empty SHA256 hash value. This effectively filters the results to only include attachments from the specified sender and that have a known hash value. The join operator combines the results of the previous step with the results of a second query that selects the DeviceFileEvent table and projects the FileName, SHA256, DeviceName, and DeviceId fields. This effectively creates a join between the two tables based on the SHA256 field, linking the attachments with file events on devices. The project operator selects the desired fields from the joined results and includes them in the final output. This query will work in both Microsoft Defender and Azure Sentinel, as it is a valid advanced hunting query in both platforms.
upvoted 35 times
...
Nikki0222
Most Recent 8 months ago
Correct
upvoted 3 times
...
chepeerick
1 year, 8 months ago
Correct
upvoted 2 times
...
trashbox
1 year, 9 months ago
The answer is correct. SHA256 and SHA256. Check if files from a known malicious sender are on your devices https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel