SC-200 Exam - Question 336

Question

HOTSPOT-You have a Microsoft Sentinel workspace. You plan to visualize data from Microsoft SharePoint Online and OneDrive sites. You need to create a KQL query for the visual. The solution must meet the following requirements:•	Select all workloads as a single operation. •	Include two parameters named Operations and Users. •	In the results, exclude empty values for the site URLs. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Examice · Accepted Answer

.

DChilds · Answer

Second option should be where SiteUrl !="

g_man_rap · Answer

OfficeActivity
| where Operation in ((Operations))
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SiteUrl != " "
| summarize Number = count() by Site_Url, UserId, Operation, TimeGenerated

First Dropdown: where Operation in ((Operations))
Second Dropdown: where SiteUrl != " "

MqQuintana · Answer

The project statement gums up the sumarize

VeiN · Answer

There is a similar case under. I think this is badly copied, and "AH" is "All"
OfficeActivity
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where '{Operations:lable}'=='All' or Operation in ({Operations})

using {} will enable to select/write entries in workbook that will be used in the query

| where SiteUrl != " "  => OK

Optimizor_IT · Answer

Operations filter: | where Operation in ({Operations})
Site URL filter: | where SiteUrl != " (with the caveat that it should be | where isnotempty(Site_Url) or | where Site_Url != "" for correctness)

SC-200 Exam - Question 336

Discussion