ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 28 discussion

Actual exam question from Microsoft's SC-200
Question #: 28
Topic #: 1
[All SC-200 Questions]

HOTSPOT -
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: join -
An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.

DeviceInfo -
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"

Box 2: project -
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
by User_Mowgli at Oct. 18, 2022, 7:17 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Apocalypse03
Highly Voted 2 years, 6 months ago
Correct: join & project Filtering the DeviceInfo table to only include rows where the LoggedOnUsers field contains the string "user1". Removing duplicates based on the DeviceId field. Joining the resulting set of devices with the AlertEvidence table based on the DeviceId field. Projecting the AlertId field from the resulting set. Joining the resulting set of alerts with the AlertInfo table based on the AlertId field. Projecting the AlertId, Timestamp, Title, Severity, and Category fields from the resulting set of alerts. This query retrieves a list of alerts that are related to devices where the user "user1" is logged on, and it includes the alert ID, timestamp, title, severity, and category for each alert. The "join" and "project" operations in the query are used to combine and filter the data from the various tables in the ATP data model.
upvoted 17 times
Nikki0222
8 months ago
Correct
upvoted 2 times
...
smanzana
1 year, 4 months ago
Join Project
upvoted 1 times
...
...
ACSC
Highly Voted 2 years, 7 months ago
Correct, join & project https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#get-device-information
upvoted 5 times
...
HAjouz
Most Recent 2 months, 3 weeks ago
Join project
upvoted 2 times
...
chepeerick
1 year, 8 months ago
correct
upvoted 4 times
...
trashbox
1 year, 9 months ago
"join" and "project" are correct. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#get-device-information
upvoted 2 times
...
RobertDuval
2 years, 2 months ago
In Exam today (21 April 2023)
upvoted 3 times
...
Lone__Wolf
2 years, 4 months ago
Correct!
upvoted 2 times
...
User_Mowgli
2 years, 8 months ago
Correct. Join and project respectively.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel