Exam SC-200 All QuestionsBrowse all questions from this exam
Go to Exam
Question 176

HOTSPOT

-

You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled.

You need to identify all the log entries that relate to security-sensitive user actions performed on a server named Server1. The solution must meet the following requirements:

• Only include security-sensitive actions by users that are NOT members of the IT department.

• Minimize the number of false positives.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
ACSC

Answer is: Join kind = inner, IdentityInfo https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-in-your-analytics-rules-public-preview

tirajvid

Thanks. Correct answer

DaraVasu

Answer is Join Kind = inner, Identityinfo Found this in Microsoft documentation

donathon

SecurityEvent | where EventID in ("4624","4672") | where Computer == "My.High.Value.Asset" | join kind=inner ( IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.SubjectUserSid == $right.AccountSID | where Department != "IT"

Kurdd

To correlate Microsoft Entra sign-in logs with the IdentityInfo table in an alert that's triggered if an application is accessed by someone who isn't a member of a specific security group: SigninLogs | where AppDisplayName == "GithHub.Com" | join kind=inner ( IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId) on $left.UserId == $right.AccountObjectId | where GroupMembership !contains "Developers" https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-in-your-analytics-rules-public-preview

devop23

BehaviorAnalytics doesnt have department field so id have to say the answer is wrong

7d801bf

Answer is join kind = inner and indetifyinfo

DChilds

Correct on the table to be queried because IdentityInfo table only gives us information about the accounts and not UEBA events however to match the two tables (users not in IT group table with the defined security-sensitive actions defined in UEBA) join kind = inner is the join type to use. join kind = inner BehaviourAnalytics

chepeerick

Correct Option