ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 3 question 56 discussion

Actual exam question from Microsoft's SC-200
Question #: 56
Topic #: 3
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled.

You need to identify all the log entries that relate to security-sensitive user actions performed on a server named Server1. The solution must meet the following requirements:

• Only include security-sensitive actions by users that are NOT members of the IT department.
• Minimize the number of false positives.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by ACSC at Jan. 28, 2023, 7:53 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ACSC
Highly Voted 2 years, 4 months ago
Answer is: Join kind = inner, IdentityInfo https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-in-your-analytics-rules-public-preview
upvoted 51 times
tirajvid
1 year, 11 months ago
Thanks. Correct answer
upvoted 3 times
...
...
DaraVasu
Highly Voted 2 years, 4 months ago
Answer is Join Kind = inner, Identityinfo Found this in Microsoft documentation
upvoted 7 times
...
smanzana
Most Recent 10 months, 4 weeks ago
Join kind = inner IdentityInfo
upvoted 2 times
...
7d801bf
11 months, 3 weeks ago
Answer is join kind = inner and indetifyinfo
upvoted 1 times
...
DChilds
1 year, 2 months ago
Correct on the table to be queried because IdentityInfo table only gives us information about the accounts and not UEBA events however to match the two tables (users not in IT group table with the defined security-sensitive actions defined in UEBA) join kind = inner is the join type to use. join kind = inner BehaviourAnalytics
upvoted 1 times
...
Kurdd
1 year, 7 months ago
To correlate Microsoft Entra sign-in logs with the IdentityInfo table in an alert that's triggered if an application is accessed by someone who isn't a member of a specific security group: SigninLogs | where AppDisplayName == "GithHub.Com" | join kind=inner ( IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.UserId == $right.AccountObjectId | where GroupMembership !contains "Developers" https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-in-your-analytics-rules-public-preview
upvoted 2 times
...
chepeerick
1 year, 7 months ago
Correct Option
upvoted 1 times
...
donathon
1 year, 10 months ago
SecurityEvent | where EventID in ("4624","4672") | where Computer == "My.High.Value.Asset" | join kind=inner ( IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.SubjectUserSid == $right.AccountSID | where Department != "IT"
upvoted 4 times
...
devop23
1 year, 11 months ago
BehaviorAnalytics doesnt have department field so id have to say the answer is wrong
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel