SC-200 Exam QuestionsBrowse all questions from this exam
Go to Exam

SC-200 Exam - Question 173

HOTSPOT

-

You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.

You have the hunting query shown in the following exhibit.

The users perform the following actions:

• User1 assigns User2 the Global administrator role.

• User1 creates a new user named User3 and assigns the user a Microsoft Teams license.

• User2 creates a new user named User4 and assigns the user the Security reader role.

• User2 creates a new user named User5 and assigns the user the Security operator role.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Answer
Correct Answer:

Discussion

17 comments
Sign in to comment
estyj
Jan 3, 2024

NNY Actions of User1 is project-away will be excluded from results. Only actions of user2 will be shown. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator

ACSC
Jan 22, 2023

Answer is correct.

danb67
Oct 15, 2023

It really isn't

pupugaga
Nov 16, 2023

N/N/Y for me, theres project-away at the end so the first 2 are actioned by user 1 so not visible, and the last one is actioned by user 2 so therefore visible.

teouba
Apr 23, 2023

This query doesnt make any sense at all In our example, the first part of the query checks for "Add User" operation and returns a table with a "User" column where the values will be User3, User4 and User5 since it looks for "TargetResources" The second part of the query checks for "Role Assignment" operation and returns a table with a "User" column where the values will be User1, User1, User2, User2 since it looks for "Caller" (meaning the user who performed the role assignment) So the values of the "User" column are totally different for these 2 tables, so JOIN should not return any result.. This query is wrong

dalancoburn
May 31, 2023

I agree. However I don't agree that the query is wrong, I just think the answer should be NNN

Frankie21
Oct 4, 2023

I totally agree! Besides that, the azureactivity table is not registering role assignments. That is done in the auditing table!

danlo
Nov 9, 2023

AzureAcitivty shows role assignment here: https://learn.microsoft.com/en-us/azure/role-based-access-control/change-history-report

herta
Jan 31, 2023

answer is correct AuditLogs | where OperationName == "Add user" // show all newly created users, this part will identify creation of user 3 and user 5 assignment of user 2 by user 1 won't be display because of "project-away user1"

wsrudmen
Mar 1, 2023

project-away is only for column name

7c0a
Jun 26, 2023

join kind is not defined so its a default one - innerunique (All deduplicated rows from the left table that match rows from the right table) https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer N - no match in the first table AuditLogs N - Adding license is not a Role assignment, no match in the second table - AzureActivity Y - present in both tables, query returns result

danb67
Oct 14, 2023

It's N/N/N Why would user two be present in both tables? The 1st part of the query is looking for target resource. Therefore User5 would exist in the 1st table. The 2nd part of the query is looking for the caller (the person that did the assignment) and that would be user 2. So neither user 2 nor user 5 exists in both tables. Therefore using innerunnique would not produce a result as there needs to be a match in both tables. Tested in a lab also.

davidli
Nov 1, 2023

danb67's explanation is clear and promising. I agree with you.

donathon
Aug 14, 2023

NNY for me

donathon
Sep 1, 2023

Project-Away: Select what columns from the input table to exclude from the output table. > This would means User1's actions would not be shown.

Bjing
Mar 16, 2024

Project-away will remove the column named user1, it will not remove the record done by user1

chepeerick
Oct 17, 2023

No, No, Yes

DChilds
Apr 16, 2024

First part of the query looks for Add user events in Auditlogs, second part of the query looks for "Create role assignment' events in Azureactivity and third part joins both searches so both parts need to match for the final search result. No - The query is intended to search for user creation events with role assignment, this does not match that. No - Matches first part of the query but not the second. User is assigned a Microsoft Teams license which is not a role. Yes - A new user is created and assigned the Security Operator role which matches both parts of the query.

Fcnet
Jan 26, 2023

not sure about the inpact of the project-away operator, if it is just view or impact result https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/projectawayoperator

Fcnet
Jan 26, 2023

with operator projet-away the query result wont't show anything for User1 so the answer should be N,N,Y

bryangacusana21
Jan 29, 2023

I agree with this.

ACSC
Jan 29, 2023

I don't think so. In the second statement, the TargetResources.UserPrincipalName is user3, not user1. https://learn.microsoft.com/en-us/azure/sentinel/get-visibility#new-workbook-examples You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Azure Active Directory audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation.

wsrudmen
Mar 1, 2023

Explanation of the request with this link https://learn.microsoft.com/fr-fr/azure/sentinel/get-visibility

botesjuan
May 19, 2023

is MS teams license assignment to user3 going to be detected by this part of query? | where OperationName == “Create role assignment”

danb67
Aug 3, 2023

Teouba is correct. I just recreated this scenario in a lab. This question is to test your knowledge of Join kinds imo. If you run this command with innerunique which is the default if no join kind is chosen then we do not get any results as different users are returned for each table. Innerunique will show us only results if we have duplicate rows from the left and the right table. In this case we don't. If we chose another Join kind then results will show. If the screenshot is correct then we assume its using innerunique and in that case the answer would be N N N

Frankie21
Oct 4, 2023

Roles assignments are not registered in the Azureactivity table but in the auditing table. Therefore 3 times no!!!

danb67
Oct 15, 2023

In order for this to produce results then a user would have to appear in both tables as we are using innerunique(default join kind) Since the 1st part of the query is looking for target resource (the user that was created) and the 2nd part of the query is looking for caller (the user that did the action) Then the only time we would get a hit is if a user that had just been created then performed the add operation. Is this not what this query is looking for? To see if a new user account starts messing with roles/group membership? In this given example none of the newly created users then does and messes with group/roles so no hits here and I double down on N/N/N

danlo
Nov 9, 2023

correct, the query is looking for a new user creation event then if the same user did a role assignment. It's a very niche query the answer should be N/N/N

chepeerick
Oct 28, 2023

Correct

jacobtriestech
Jul 15, 2024

The query will identify the role assignment of User2: No The query will identify the creation of User3: Yes The query will identify the creation of User5: Yes