HOTSPOT -
You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a malicious email attachment.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-query-emails-devices?view=o365-worldwide
EmailAttachmentInfo | where SenderFromAddress =~ "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c885a9a4a1aba1a7bdbb9bada6acadba88adb0a9a5b8a4ade6aba7a5">[email protected]</a>" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256 ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress Already posted here https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices
On that web site the current version has "| project FileName, SHA256, DeviceName, DeviceId" with both DevcieName and DeviceId on that line. Without DeviceName and DeviceId explicitly listed it should probably be Extend on that line with the full set of answers: Join, Extend, Project.
The query posted on MS docs doesnt actually work (I have tested in a live tenant) - it needs to be amended to match the below before it returns results (note the requirement to add DeviceName, and DeviceId fields to the first project statement). EmailAttachmentInfo | where SenderFromAddress =~ "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="24494745574041494b644e514a4b0a474b49">[email protected]</a>" | where isnotempty(SHA256) | join ( DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress But if you choose the following from the answers presented in the question you will get the results you need to answer the question: EmailAttachmentInfo | where SenderFromAddress =~ "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="89e4eae8faedece4e6c9e3fce7e6a7eae6e4">[email protected]</a>" | where isnotempty(SHA256) | join ( DeviceFileEvents | extend FileName, SHA256 ) on SHA256 | project Timestamp, FileName, SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress ie Choose, Join, Extend, Project from the drop downs This has also been tested on live tenants and returns the correct result.
you are correct , I have tested it ,the query in the docs is correct as it contains DeviceName , DeviceId , but the one in the exam question is missing the DeviceName , DeviceId , so the answer should be Join , Extend , Project as you mentioned , but in case the real exam question has DeviceName , DeviceId then Join , Project , Project can be a correct answer like the example in the docs
Well! Extend operator is for calculated columns and would followed by a custom variable name and equal to sign (something akin to let but in context of table) Doesn't make sense to use the same in join context https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/extendoperator
Refer to topic 1 question 17 on examtopics itself for differently worded but the same query
Microsoft documents correct but in the above question DeviceName, DeviceId are missing. as per Microsoft documents Kusto query should be: EmailAttachmentInfo | where SenderFromAddress =~ "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="19547875707a70766c6a4a7c777d7c6b597c61787469757c377a7674">[email protected]</a>" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress link: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#:~:text=Check%20if%20files%20from%20a%20known%20malicious%20sender%20are%20on%20your%20devices
On exam today (29/06/23)
On exam 19/06/2023
What was the answer mate , pls tell . i have exam in 5 hours lol
In Exam 31st May 2023
On exam 2-11-2023
In Exam today (21 April 2023)
The answer provided is correct. It is also mentioned here https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices
join extend project
Join, Project, Project
You have to use join, EXTEND, project. If you use join, project, project you get the following error 'project' operator: Failed to resolve scalar expression named 'DeviceName'
given answer is correct as you can project anything and it doesn't matter if the question doesn't have device name and device id in it as compared to Microsoft docs. The answer should still remain the same as Join, Project, Project
When clearly read this KQL hunting query.. First you get EmailAttachmentInfo based on some filters and then add second column by using Join operator (check this syntax and you will see it is clearly "Join") the other 2 is Project. You return selected entities of event table log to merge all in a table (output). I will chose Join, Project Project for my exam if I see this question in exam :)
First column of "Join" operator is Email AttachmentInfo and second column is DeviceFileEvents.. So join is the first selection and other 2 is only get specific entities in log table (FileName, TimesStamp, RecipientsEmailAddresses etc..
Join, Extend, Project.
EmailAttachmentInfo | where SenderFromAddress =~ "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f9b49895909a90968c8aaa9c979d9c8bb99c81989489959cd79a9694">[email protected]</a>" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
Check file from a known malicious sender EmailAttachmentInfo | where SenderFromAddress =~ "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="723f131e1b111b1d070121171c16170032170a131f021e175c111d1f">[email protected]</a>" //Get emails with attachments identified by a SHA-256 | where isnotempty(SHA256) | join ( //Check devices for any activity involving the attachments DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-your-devices
join-extend-project —> for the answer presented for Exam Topics) or join-project-project —> if the answer were “join ( DeviceFileEvents | project FileName, SHA256, DeviceName, DeviceId ) on SHA256” —> including “DeviceName” and “DeviceId”
Its wrong. extend keyword usage includes '='