Exam SC-200 topic 3 question 53 discussion

NNY Actions of User1 is project-away will be excluded from results. Only actions of user2 will be shown. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator

Answer is correct.

NYY project-away user1 removes the duplicate column named "user" that was added via the join. It does not discard all user1 activity. Run this through ChatGPT: AuditLogs | where TimeGenerated > ago(7d) | where OperationName == "Add user" | project AddedTime = TimeGenerated, user = tostring(TargetResources[0].userPrincipalName) | join (AzureActivity | where OperationName == "Create role assignment" | project OperationName, RoleAssignmentTime = TimeGenerated, user = Caller ) on user | project-away user1

nyy AddedTime user OperationName RoleAssignmentTime [Time User3 added] User3 (no role assignment) (no assignment) [Time User4 added] User4 Security reader role [Assignment time] [Time User5 added] User5 Security operator role [Assignment time]

As explained in previous comments, the query detects the creation of a user, which should then create a role assignment. The first part considers "user=target" (who receives the task) and the second part considers "user=caller" (who performs the task), and the "join" operator matches the "user" field. In addition, the "project-away" operator removes the column with the duplicate and automatically created "user1" field after the join (automatic behavior of KQL queries when there is a join of "custom" fields). Given the above considerations, no condition is checked when the order of events is: Creating a new user --> Assigning a role to the new user, by the first user The only valid condition is Creating a new user --> the new user proceeds with the assignment of the role Thus, the correct answer is NNN

The answer should be N,N,N from my point. In line no. 4 the user is the target resource, which means the user on which the operation is performed. In line no. 7, the user is the caller (who performed the operation/action) In line 7, we are using the "user" for the join operator. Now, if I check the KQL and evaluate the actions provided in the question, the following users would show up in the tables: Table1: user3, user4, user5 Table2: user1, user1, user2, user2 As there is not matching user in both tables, hence no output should be produced. Hopefully these type of questions do not show up, they are time consuming :D

No No Yes

The query will identify the role assignment of User2: No The query will identify the creation of User3: Yes The query will identify the creation of User5: Yes

First part of the query looks for Add user events in Auditlogs, second part of the query looks for "Create role assignment' events in Azureactivity and third part joins both searches so both parts need to match for the final search result. No - The query is intended to search for user creation events with role assignment, this does not match that. No - Matches first part of the query but not the second. User is assigned a Microsoft Teams license which is not a role. Yes - A new user is created and assigned the Security Operator role which matches both parts of the query.

N/N/Y for me, theres project-away at the end so the first 2 are actioned by user 1 so not visible, and the last one is actioned by user 2 so therefore visible.

Correct

No, No, Yes

In order for this to produce results then a user would have to appear in both tables as we are using innerunique(default join kind) Since the 1st part of the query is looking for target resource (the user that was created) and the 2nd part of the query is looking for caller (the user that did the action) Then the only time we would get a hit is if a user that had just been created then performed the add operation. Is this not what this query is looking for? To see if a new user account starts messing with roles/group membership? In this given example none of the newly created users then does and messes with group/roles so no hits here and I double down on N/N/N

Roles assignments are not registered in the Azureactivity table but in the auditing table. Therefore 3 times no!!!

NNY for me

Teouba is correct. I just recreated this scenario in a lab. This question is to test your knowledge of Join kinds imo. If you run this command with innerunique which is the default if no join kind is chosen then we do not get any results as different users are returned for each table. Innerunique will show us only results if we have duplicate rows from the left and the right table. In this case we don't. If we chose another Join kind then results will show. If the screenshot is correct then we assume its using innerunique and in that case the answer would be N N N

join kind is not defined so its a default one - innerunique (All deduplicated rows from the left table that match rows from the right table) https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer N - no match in the first table AuditLogs N - Adding license is not a Role assignment, no match in the second table - AzureActivity Y - present in both tables, query returns result