ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 137 - SC-200 discussion

Report
Export

HOTSPOT

You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.

You are notified that the account of User1 is compromised.

You need to review the alerts triggered on the devices to which User1 signed in.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.


Question 137
Correct answer: Question 137

Explanation:

Box 1: join

An inner join.

This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.

This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.

DeviceInfo

//Query for devices that the potentially compromised account has logged onto | where LoggedOnUsers contains '<account-name>' | distinct DeviceId

//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables | join kind=inner AlertEvidence on DeviceId | project AlertId

//List all alerts on devices that user has logged on to

| join AlertInfo on AlertId

| project AlertId, Timestamp, Title, Severity, Category

DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"

Box 2: project

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingquery-emails-devices?view=o365-worldwide

asked 05/10/2024
Asif Ibrahim
47 questions
User
0 comments
Sorted by

Leave a comment first