Examice

Exam SC-200 All QuestionsBrowse all questions from this exam

Go to Exam

Question 173

HOTSPOT

You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.

You have the hunting query shown in the following exhibit.

The users perform the following actions:

• User1 assigns User2 the Global administrator role.

• User1 creates a new user named User3 and assigns the user a Microsoft Teams license.

• User2 creates a new user named User4 and assigns the user the Security reader role.

• User2 creates a new user named User5 and assigns the user the Security operator role.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Correct Answer:

Discussion

estyj

NNY Actions of User1 is project-away will be excluded from results. Only actions of user2 will be shown. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator

ACSC

Answer is correct.

danb67

It really isn't

pupugaga

N/N/Y for me, theres project-away at the end so the first 2 are actioned by user 1 so not visible, and the last one is actioned by user 2 so therefore visible.

teouba

This query doesnt make any sense at all In our example, the first part of the query checks for "Add User" operation and returns a table with a "User" column where the values will be User3, User4 and User5 since it looks for "TargetResources" The second part of the query checks for "Role Assignment" operation and returns a table with a "User" column where the values will be User1, User1, User2, User2 since it looks for "Caller" (meaning the user who performed the role assignment) So the values of the "User" column are totally different for these 2 tables, so JOIN should not return any result.. This query is wrong

dalancoburn

I agree. However I don't agree that the query is wrong, I just think the answer should be NNN

Frankie21

I totally agree! Besides that, the azureactivity table is not registering role assignments. That is done in the auditing table!

danlo

AzureAcitivty shows role assignment here: https://learn.microsoft.com/en-us/azure/role-based-access-control/change-history-report

DChilds

First part of the query looks for Add user events in Auditlogs, second part of the query looks for "Create role assignment' events in Azureactivity and third part joins both searches so both parts need to match for the final search result. No - The query is intended to search for user creation events with role assignment, this does not match that. No - Matches first part of the query but not the second. User is assigned a Microsoft Teams license which is not a role. Yes - A new user is created and assigned the Security Operator role which matches both parts of the query.

chepeerick

No, No, Yes

donathon

NNY for me

donathon

Project-Away: Select what columns from the input table to exclude from the output table. > This would means User1's actions would not be shown.

Bjing

Project-away will remove the column named user1, it will not remove the record done by user1

7c0a

join kind is not defined so its a default one - innerunique (All deduplicated rows from the left table that match rows from the right table) https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer N - no match in the first table AuditLogs N - Adding license is not a Role assignment, no match in the second table - AzureActivity Y - present in both tables, query returns result

danb67

It's N/N/N Why would user two be present in both tables? The 1st part of the query is looking for target resource. Therefore User5 would exist in the 1st table. The 2nd part of the query is looking for the caller (the person that did the assignment) and that would be user 2. So neither user 2 nor user 5 exists in both tables. Therefore using innerunnique would not produce a result as there needs to be a match in both tables. Tested in a lab also.

davidli

danb67's explanation is clear and promising. I agree with you.

herta

answer is correct AuditLogs | where OperationName == "Add user" // show all newly created users, this part will identify creation of user 3 and user 5 assignment of user 2 by user 1 won't be display because of "project-away user1"

wsrudmen

project-away is only for column name

jacobtriestech

The query will identify the role assignment of User2: No The query will identify the creation of User3: Yes The query will identify the creation of User5: Yes

chepeerick

Correct

danb67

In order for this to produce results then a user would have to appear in both tables as we are using innerunique(default join kind) Since the 1st part of the query is looking for target resource (the user that was created) and the 2nd part of the query is looking for caller (the user that did the action) Then the only time we would get a hit is if a user that had just been created then performed the add operation. Is this not what this query is looking for? To see if a new user account starts messing with roles/group membership? In this given example none of the newly created users then does and messes with group/roles so no hits here and I double down on N/N/N

danlo

correct, the query is looking for a new user creation event then if the same user did a role assignment. It's a very niche query the answer should be N/N/N

Frankie21

Roles assignments are not registered in the Azureactivity table but in the auditing table. Therefore 3 times no!!!

danb67

Teouba is correct. I just recreated this scenario in a lab. This question is to test your knowledge of Join kinds imo. If you run this command with innerunique which is the default if no join kind is chosen then we do not get any results as different users are returned for each table. Innerunique will show us only results if we have duplicate rows from the left and the right table. In this case we don't. If we chose another Join kind then results will show. If the screenshot is correct then we assume its using innerunique and in that case the answer would be N N N

botesjuan

is MS teams license assignment to user3 going to be detected by this part of query? | where OperationName == “Create role assignment”

wsrudmen

Explanation of the request with this link https://learn.microsoft.com/fr-fr/azure/sentinel/get-visibility

Fcnet

not sure about the inpact of the project-away operator, if it is just view or impact result https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator

Fcnet

with operator projet-away the query result wont't show anything for User1 so the answer should be N,N,Y

bryangacusana21

I agree with this.

ACSC

I don't think so. In the second statement, the TargetResources.UserPrincipalName is user3, not user1. https://learn.microsoft.com/en-us/azure/sentinel/get-visibility#new-workbook-examples You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Azure Active Directory audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation.