ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 57 discussion

Actual exam question from Microsoft's SC-200
Question #: 57
Topic #: 3
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft Sentinel workspace.

You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by ACSC at Jan. 22, 2023, 1:26 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ACSC
Highly Voted 2 years, 3 months ago
Correct. https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml
upvoted 19 times
...
smanzana
Most Recent 9 months, 1 week ago
Correct
upvoted 1 times
...
Murtuza
1 year, 4 months ago
The key word in the question " sign in " implies authentication so its a given there
upvoted 1 times
...
chepeerick
1 year, 6 months ago
Correct Option
upvoted 1 times
...
donathon
1 year, 8 months ago
query: | let timeframe = ago(3h); let threshold = 2; imAuthentication | where TimeGenerated > timeframe | where EventType == 'Logon' and EventResult == 'Success' | where isnotempty(SrcGeoCountry) | summarize
upvoted 1 times
danb67
1 year, 6 months ago
agreed answer is correct
upvoted 1 times
...
...
JoeP1
1 year, 9 months ago
The ScrGeoCountry is obvious from the isnotempty() 2 lines above, but imAuthentication requires ASIM knowledge.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago